Python Security Vulnerabilities¶
Status of Python branches lists Python branches which get security fixes.
Total: 95 vulnerabilities.
Vulnerability | Disclosure | Fixed In | Vulnerable | CVE |
---|---|---|---|---|
Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple | 2023-03-24 | – | 3.10 3.7 3.8 3.9 |
CVE-2023-27043 |
urlparse does not correctly handle schemes | 2022-11-12 | 3.11.1 | 3.10 3.7 3.8 3.9 |
CVE-2023-24329 |
Buffer overflow in the _sha3 module in Python 3.10 and older | 2022-10-21 | 3.7.16 3.8.16 3.9.16 3.10.9 |
– | CVE-2022-37454 |
Slow IDNA decoding with large strings | 2022-10-19 | 3.7.16 3.8.16 3.9.16 3.10.9 3.11.1 |
– | CVE-2022-45061 |
Linux specific local privilege escalation via the multiprocessing forkserver start method | 2022-09-23 | 3.9.16 3.10.9 3.11.0 |
– | CVE-2022-42919 |
Prevent DoS by large str-int conversions | 2022-08-08 | 3.7.14 3.8.14 3.9.14 3.10.7 3.11.0 |
– | CVE-2020-10735 |
Windows: vulnerable zlib 1.2.11 | 2022-04-01 | 3.7.14 3.8.14 3.9.13 3.10.5 |
– | CVE-2018-25032 |
Windows: vulnerable bzip2 1.0.6 | 2021-07-02 | 3.7.13 3.8.13 3.9.11 3.10.3 |
– | CVE-2016-3189 CVE-2019-12900 |
CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0 | 2021-06-11 | 3.6.15 3.7.12 3.8.12 3.9.7 3.10.0 |
– | CVE-2013-0340 |
CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response | 2021-05-03 | 3.6.14 3.7.11 3.8.11 3.9.6 3.10.0 |
– | CVE-2021-3737 |
urllib.parse should sanitize urls containing ASCII newline and tabs. | 2021-04-18 | 3.6.14 3.7.11 3.8.11 3.9.5 3.10.0 |
– | CVE-2022-0391 |
ipaddress leading zeros in IPv4 address | 2021-03-30 | 3.8.12 3.9.5 3.10.0 |
– | CVE-2021-29921 |
ftplib should not use the host from the PASV response | 2021-02-21 | 3.6.14 3.7.11 3.8.9 3.9.3 3.10.0 |
– | – |
http.server: Open Redirection if the URL path starts with // | 2021-02-14 | 3.7.14 3.8.14 3.9.14 3.10.6 3.11.0 |
– | CVE-2021-28861 |
CVE-2021-3733: ReDoS in urllib.request | 2021-01-30 | 3.6.14 3.7.11 3.8.10 3.9.5 3.10.0 |
– | CVE-2021-3733 |
Information disclosure via pydoc getfile | 2021-01-21 | 3.6.14 3.7.11 3.8.9 3.9.3 3.10.0 |
– | CVE-2021-3426 |
urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator | 2021-01-19 | 3.6.13 3.7.10 3.8.8 3.9.2 3.10.0 |
– | CVE-2021-23336 |
ctypes: Buffer overflow in PyCArg_repr | 2021-01-16 | 3.6.13 3.7.10 3.8.8 3.9.2 3.10.0 |
– | CVE-2021-3177 |
CJK codecs tests call eval() on content retrieved via HTTP | 2020-10-05 | 3.6.13 3.7.10 3.8.7 3.9.1 3.10.0 |
– | CVE-2020-27619 |
[CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface | 2020-06-17 | 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 |
– | CVE-2020-14422 |
http.client: HTTP Header Injection in the HTTP method | 2020-02-10 | 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 |
– | CVE-2020-26116 |
CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7 | 2020-01-21 | 3.6.11 3.7.7 3.8.2 3.9.0 |
– | CVE-2020-8315 |
Email header injection in Address objects | 2019-12-17 | 3.5.10 3.6.11 3.7.8 3.8.4 3.9.0 |
– | – |
Infinite loop in tarfile module while opening a crafted file | 2019-12-10 | 3.5.10 3.6.12 3.7.9 3.8.5 3.9.0 |
– | CVE-2019-20907 |
Remove newline characters from uu encoding methods | 2019-11-30 | 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 |
– | – |
urllib basic auth regex denial of service | 2019-11-17 | 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 |
– | CVE-2020-8492 |
Regular Expression Denial of Service in http.cookiejar | 2019-11-14 | 2.7.18 3.5.10 3.6.10 3.7.6 3.8.1 3.9.0 |
– | – |
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() | 2019-10-24 | 2.7.18 3.5.10 3.6.11 3.7.8 3.8.3 3.9.0 |
– | CVE-2019-18348 |
Reflected XSS in DocXMLRPCServer | 2019-09-21 | 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 |
– | CVE-2019-16935 |
ssl.match_hostname() ignores extra string after whitespace in IPv4 address | 2019-07-01 | 3.7.4 3.8.0 |
– | – |
urlsplit does not handle NFKC normalization (second fix) | 2019-04-27 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-10160 |
urlsplit does not handle NFKC normalization | 2019-03-06 | 2.7.17 3.5.7 3.6.9 3.7.3 3.8.0 |
– | CVE-2019-9636 |
urllib module local_file:// scheme | 2019-02-06 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-9948 |
TALOS-2018-0758 SSL CRL distribution points Denial of Service | 2019-01-15 | 2.7.16 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 |
– | CVE-2019-5010 |
http.cookiejar: Incorrect validation of path | 2019-01-03 | 2.7.17 3.4.10 3.5.7 3.6.9 3.7.3 3.8.0 |
– | – |
xml package does not obey ignore_environment | 2018-09-24 | 2.7.16 3.4.10 3.5.7 3.6.8 3.7.2 3.8.0 |
– | – |
pickle.load denial of service | 2018-09-13 | 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 |
– | CVE-2018-20406 |
_elementree C accelerator doesn’t call XML_SetHashSalt() | 2018-09-10 | 2.7.16 3.4.10 3.5.7 3.6.7 3.7.1 3.8.0 |
– | CVE-2018-14647 |
email.utils.parseaddr mistakenly parse an email | 2018-07-19 | 2.7.17 3.5.8 3.6.10 3.7.5 3.8.0 |
– | CVE-2019-16056 |
Email folding function Denial-of-Service | 2018-05-16 | 3.6.9 3.7.4 3.8.0 |
– | – |
Buffer overflow vulnerability in os.symlink on Windows | 2018-03-05 | 3.4.9 3.5.6 3.6.5 3.7.0 |
– | CVE-2018-1000117 |
difflib and poplib catastrophic backtracking | 2018-03-02 | 2.7.15 3.4.9 3.5.6 3.6.5 3.7.0 |
– | CVE-2018-1060 CVE-2018-1061 |
Python 2.7 readahead is not thread safe | 2017-09-20 | 2.7.15 | – | CVE-2018-1000030 |
Expat 2.2.3 | 2017-07-17 | 2.7.14 3.3.7 3.4.8 3.5.5 3.6.3 3.7.0 |
– | – |
Environment variables injection in subprocess on Windows | 2017-06-22 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | – |
Expat 2.2.1 | 2017-06-17 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | CVE-2012-0876 CVE-2016-0718 CVE-2016-9063 CVE-2017-9233 |
PyString_DecodeEscape integer overflow | 2017-06-13 | 2.7.14 3.4.8 3.5.5 |
– | CVE-2017-1000158 |
bpo-30500: urllib connects to a wrong host | 2017-05-29 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | – |
HTTP Header Injection (follow-up of CVE-2016-5699) | 2017-05-24 | 2.7.17 3.5.8 3.6.9 3.7.4 3.8.0 |
– | CVE-2019-9740 CVE-2019-9947 |
Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path | 2017-03-10 | 3.5.10 3.6.12 3.7.9 3.8.4 3.9.0 |
– | CVE-2020-15523 |
urllib FTP protocol stream injection | 2017-02-20 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.3 3.7.0 |
– | – |
Expat 2.2 (Expat bug #537) | 2017-02-17 | 2.7.14 3.3.7 3.4.7 3.5.4 3.6.2 3.7.0 |
– | CVE-2016-0718 CVE-2016-4472 |
Zlib 1.2.11 | 2017-01-05 | 2.7.14 3.4.8 3.5.4 3.6.1 3.7.0 |
– | CVE-2016-9840 CVE-2016-9841 CVE-2016-9842 CVE-2016-9843 |
gettext.c2py() | 2016-10-30 | 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 |
– | – |
Sweet32 attack (DES, 3DES) | 2016-08-24 | 2.7.13 3.4.7 3.5.3 3.6.0 |
– | CVE-2016-2183 |
HTTPoxy attack | 2016-07-18 | 2.7.13 3.3.7 3.4.6 3.5.3 3.6.0 |
– | CVE-2016-1000110 |
smtplib TLS stripping | 2016-06-11 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2016-0772 |
Issue #26657: HTTP server directory traversal | 2016-03-28 | 2.7.12 3.3.7 3.4.7 3.5.2 3.6.0 |
– | – |
Issue #26556: Expat 2.1.1 | 2016-03-14 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2015-1283 |
zipimporter overflow | 2016-01-21 | 2.7.12 3.3.7 3.4.5 3.5.2 3.6.0 |
– | CVE-2016-5636 |
mailcap shell command injection | 2015-08-02 | 3.7.16 3.8.16 3.9.16 3.10.8 3.11.0 |
– | CVE-2015-20107 |
HTTP header injection | 2014-11-24 | 2.7.10 3.3.7 3.4.4 3.5.0 |
– | CVE-2016-5699 |
Validate TLS certificate | 2014-08-28 | 2.7.9 3.4.3 3.5.0 |
– | CVE-2014-9365 |
buffer() integer overflows | 2014-06-24 | 2.7.8 | – | CVE-2014-7185 |
JSONDecoder.raw_decode | 2014-04-13 | 2.7.7 3.2.6 3.3.6 3.4.1 3.5.0 |
– | CVE-2014-4616 |
os.makedirs() not thread-safe | 2014-03-28 | 3.2.6 3.3.6 3.4.1 3.5.0 |
– | CVE-2014-2667 |
socket.recvfrom_into() overflow | 2014-01-14 | 2.7.7 3.2.6 3.3.4 3.4.0 |
– | CVE-2014-1912 |
zipfile DoS using invalid file size | 2013-12-27 | 3.3.4 3.4.0 |
– | CVE-2013-7338 |
CGI directory traversal (URL parsing) | 2013-10-29 | 2.7.6 3.2.6 3.3.4 3.4.0 |
– | – |
ssl: NULL in subjectAltNames | 2013-06-27 | 2.6.9 2.7.6 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-4238 |
ssl.match_hostname() IDNA issue | 2013-05-17 | 3.3.3 3.4.0 |
– | CVE-2013-7440 |
ssl.match_hostname() wildcard DoS | 2013-05-15 | 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-2099 |
Limit imaplib.IMAP4_SSL.readline() | 2012-09-25 | 2.7.16 | – | CVE-2013-1752 |
ftplib unlimited read | 2012-09-25 | 2.7.6 3.2.6 3.3.3 3.4.0 |
– | CVE-2013-1752 |
nntplib unlimited read | 2012-09-25 | 2.6.9 2.7.6 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
poplib unlimited read | 2012-09-25 | 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
smtplib unlimited read | 2012-09-25 | 2.7.9 3.2.6 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1752 |
xmlrpc gzip unlimited read | 2012-09-25 | 2.7.9 3.3.7 3.4.3 3.5.0 |
– | CVE-2013-1753 |
Hash function not randomized properly | 2012-04-19 | 3.4.0 | – | CVE-2013-7040 |
Vulnerability in the utf-16 decoder after error handling | 2012-04-14 | 2.7.4 3.2.4 3.3.0 |
– | CVE-2012-2135 |
XML-RPC DoS | 2012-02-13 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2012-0845 |
ssl CBC IV attack | 2012-01-27 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2011-3389 |
Hash DoS | 2011-12-28 | 2.6.8 2.7.3 3.1.5 3.2.3 3.3.0 |
– | CVE-2012-1150 |
pypirc created insecurely | 2011-11-30 | 2.7.4 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-4944 |
urllib redirect | 2011-03-24 | 2.5.6 2.6.7 2.7.2 3.1.4 3.2.1 3.3.0 |
– | CVE-2011-1521 |
SimpleHTTPServer UTF-7 | 2011-03-08 | 2.5.6 2.6.7 2.7.2 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-4940 |
audioop integer overflows | 2010-05-10 | 2.6.6 2.7.0 3.1.3 3.2.0 |
– | CVE-2010-1634 |
audioop input validation | 2010-01-11 | 2.6.6 2.7.2 3.1.3 3.2.0 |
– | CVE-2010-2089 |
httplib unlimited read | 2009-08-28 | 2.7.2 3.1.4 3.2.0 |
– | CVE-2013-1752 |
smtpd accept bug and race condition | 2009-08-14 | 2.7.1 3.1.3 3.2.0 |
– | CVE-2010-3492 CVE-2010-3493 |
Multiple integer overflows (Apple) | 2008-07-31 | 2.6.0 3.0.0 |
– | CVE-2008-1679 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-2316 CVE-2008-3142 CVE-2008-3144 CVE-2008-4864 |
Multiple integer overflows (Google) | 2008-04-11 | 2.5.3 2.6.0 3.0.0 |
– | CVE-2008-3143 |
expandtab() integer overflow | 2008-03-11 | 2.5.3 2.6.0 3.0.0 |
– | CVE-2008-5031 |
CGI directory traversal (is_cgi() function) | 2008-03-07 | 2.7.0 3.2.4 3.3.1 3.4.0 |
– | CVE-2011-1015 |
rgbimg and imageop overflows | 2007-09-16 | 2.5.3 2.6.0 |
– | CVE-2007-4965 CVE-2009-4134 CVE-2010-1449 CVE-2010-1450 |
Table of Contents:
- Parsing errors in email/_parseaddr.py lead to incorrect value in email address part of tuple
- urlparse does not correctly handle schemes
- Buffer overflow in the _sha3 module in Python 3.10 and older
- Slow IDNA decoding with large strings
- Linux specific local privilege escalation via the multiprocessing forkserver start method
- Prevent DoS by large str-int conversions
- Windows: vulnerable zlib 1.2.11
- Windows: vulnerable bzip2 1.0.6
- CVE-2013-0340 Billion Laughs fixed in Expat 2.4.0
- CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response
- urllib.parse should sanitize urls containing ASCII newline and tabs.
- ipaddress leading zeros in IPv4 address
- ftplib should not use the host from the PASV response
- http.server: Open Redirection if the URL path starts with //
- CVE-2021-3733: ReDoS in urllib.request
- Information disclosure via pydoc getfile
- urllib parse_qsl(): Web cache poisoning - semicolon as a query args separator
- ctypes: Buffer overflow in PyCArg_repr
- CJK codecs tests call eval() on content retrieved via HTTP
- [CVE-2020-14422] Hash collisions in IPv4Interface and IPv6Interface
- http.client: HTTP Header Injection in the HTTP method
- CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7
- Email header injection in Address objects
- Infinite loop in tarfile module while opening a crafted file
- Remove newline characters from uu encoding methods
- urllib basic auth regex denial of service
- Regular Expression Denial of Service in http.cookiejar
- CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()
- Reflected XSS in DocXMLRPCServer
- ssl.match_hostname() ignores extra string after whitespace in IPv4 address
- urlsplit does not handle NFKC normalization (second fix)
- urlsplit does not handle NFKC normalization
- urllib module local_file:// scheme
- TALOS-2018-0758 SSL CRL distribution points Denial of Service
- http.cookiejar: Incorrect validation of path
- xml package does not obey ignore_environment
- pickle.load denial of service
- _elementree C accelerator doesn’t call XML_SetHashSalt()
- email.utils.parseaddr mistakenly parse an email
- Email folding function Denial-of-Service
- Buffer overflow vulnerability in os.symlink on Windows
- difflib and poplib catastrophic backtracking
- Python 2.7 readahead is not thread safe
- Expat 2.2.3
- Environment variables injection in subprocess on Windows
- Expat 2.2.1
- PyString_DecodeEscape integer overflow
- bpo-30500: urllib connects to a wrong host
- HTTP Header Injection (follow-up of CVE-2016-5699)
- Py_SetPath(): _Py_CheckPython3 uses uninitialized DLL path
- urllib FTP protocol stream injection
- Expat 2.2 (Expat bug #537)
- Zlib 1.2.11
- gettext.c2py()
- Sweet32 attack (DES, 3DES)
- HTTPoxy attack
- smtplib TLS stripping
- Issue #26657: HTTP server directory traversal
- Issue #26556: Expat 2.1.1
- zipimporter overflow
- mailcap shell command injection
- HTTP header injection
- Validate TLS certificate
- buffer() integer overflows
- JSONDecoder.raw_decode
- os.makedirs() not thread-safe
- socket.recvfrom_into() overflow
- zipfile DoS using invalid file size
- CGI directory traversal (URL parsing)
- ssl: NULL in subjectAltNames
- ssl.match_hostname() IDNA issue
- ssl.match_hostname() wildcard DoS
- Limit imaplib.IMAP4_SSL.readline()
- ftplib unlimited read
- nntplib unlimited read
- poplib unlimited read
- smtplib unlimited read
- xmlrpc gzip unlimited read
- Hash function not randomized properly
- Vulnerability in the utf-16 decoder after error handling
- XML-RPC DoS
- ssl CBC IV attack
- Hash DoS
- pypirc created insecurely
- urllib redirect
- SimpleHTTPServer UTF-7
- audioop integer overflows
- audioop input validation
- httplib unlimited read
- smtpd accept bug and race condition
- Multiple integer overflows (Apple)
- Multiple integer overflows (Google)
- expandtab() integer overflow
- CGI directory traversal (is_cgi() function)
- rgbimg and imageop overflows