Anolis OS update for python38:3.8 module



| Updated: 2025-03-28
Risk High
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2021-3733
CVE-2021-3737
CVE-2021-43818
CVE-2022-0391
CVE-2019-18874
CVE-2019-20477
CVE-2017-18342
CVE-2019-20907
CVE-2020-14422
CVE-2020-8492
CVE-2020-27619
CVE-2021-23336
CVE-2021-29921
CVE-2021-3177
CVE-2021-3426
CWE-ID CWE-399
CWE-835
CWE-79
CWE-93
CWE-415
CWE-284
CWE-20
CWE-400
CWE-94
CWE-119
Exploitation vector Network
Public exploit Public exploit code for vulnerability #10 is available.
Vulnerable software
Anolis OS
Operating systems & Components / Operating system

python38-wheel-wheel
Operating systems & Components / Operating system package or component

python38-wheel
Operating systems & Components / Operating system package or component

python38-wcwidth
Operating systems & Components / Operating system package or component

python38-urllib3
Operating systems & Components / Operating system package or component

python38-setuptools-wheel
Operating systems & Components / Operating system package or component

python38-setuptools
Operating systems & Components / Operating system package or component

python38-rpm-macros
Operating systems & Components / Operating system package or component

python38-pytest
Operating systems & Components / Operating system package or component

python38-pyparsing
Operating systems & Components / Operating system package or component

python38-py
Operating systems & Components / Operating system package or component

python38-pluggy
Operating systems & Components / Operating system package or component

python38-pip-wheel
Operating systems & Components / Operating system package or component

python38-pip
Operating systems & Components / Operating system package or component

python38-packaging
Operating systems & Components / Operating system package or component

python38-numpy-doc
Operating systems & Components / Operating system package or component

python38-more-itertools
Operating systems & Components / Operating system package or component

python38-jinja2
Operating systems & Components / Operating system package or component

python38-babel
Operating systems & Components / Operating system package or component

python38-attrs
Operating systems & Components / Operating system package or component

python38-atomicwrites
Operating systems & Components / Operating system package or component

python38-tkinter
Operating systems & Components / Operating system package or component

python38-test
Operating systems & Components / Operating system package or component

python38-psutil
Operating systems & Components / Operating system package or component

python38-numpy-f2py
Operating systems & Components / Operating system package or component

python38-numpy
Operating systems & Components / Operating system package or component

python38-lxml
Operating systems & Components / Operating system package or component

python38-libs
Operating systems & Components / Operating system package or component

python38-idle
Operating systems & Components / Operating system package or component

python38-devel
Operating systems & Components / Operating system package or component

python38-debug
Operating systems & Components / Operating system package or component

python38
Operating systems & Components / Operating system package or component

python38-six
Operating systems & Components / Operating system package or component

python38-requests
Operating systems & Components / Operating system package or component

python38-pytz
Operating systems & Components / Operating system package or component

python38-pysocks
Operating systems & Components / Operating system package or component

python38-pycparser
Operating systems & Components / Operating system package or component

python38-ply
Operating systems & Components / Operating system package or component

python38-idna
Operating systems & Components / Operating system package or component

python38-chardet
Operating systems & Components / Operating system package or component

python38-asn1crypto
Operating systems & Components / Operating system package or component

python38-PyMySQL
Operating systems & Components / Operating system package or component

python38-scipy
Operating systems & Components / Operating system package or component

python38-pyyaml
Operating systems & Components / Operating system package or component

python38-psycopg2-tests
Operating systems & Components / Operating system package or component

python38-psycopg2-doc
Operating systems & Components / Operating system package or component

python38-psycopg2
Operating systems & Components / Operating system package or component

python38-mod_wsgi
Operating systems & Components / Operating system package or component

python38-markupsafe
Operating systems & Components / Operating system package or component

python38-cryptography
Operating systems & Components / Operating system package or component

python38-cffi
Operating systems & Components / Operating system package or component

python38-Cython
Operating systems & Components / Operating system package or component

Vendor OpenAnolis

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Resource management error

EUVDB-ID: #VU58295

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3733

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application within the AbstractBasicAuthHandler class in urllib. A remote attacker with control over the server can perform regular expression denial of service attack during authentication.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Infinite loop

EUVDB-ID: #VU59089

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3737

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU59660

Risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-43818

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the HTML Cleaner in lxml.html. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) CRLF injection

EUVDB-ID: #VU61675

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-0391

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data within the urllib.parse module in Python. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Double Free

EUVDB-ID: #VU22848

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-18874

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists because of refcount mishandling within a "while" or "for" loop that converts system data into a Python object. A remote attacker can trigger double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper access control

EUVDB-ID: #VU25542

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-20477

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the "load" and "load_all" functions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU21781

Risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-18342

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to insufficient validation of user-supplied input in the "yaml.load()" API (yaml.safe_load is not used). A remote attacker can execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Infinite loop

EUVDB-ID: #VU32881

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-20907

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop In Lib/tarfile.py in Python. A remote attacker can create a specially crafted TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource exhaustion

EUVDB-ID: #VU29544

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-14422

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application improperly computes hash values in the IPv4Interface and IPv6Interface classes within the Lib/ipaddress.py in Python. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Resource management error

EUVDB-ID: #VU25631

Risk: Medium

CVSSv4.0: 2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-8492

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

11) Code Injection

EUVDB-ID: #VU50621

Risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-27619

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Python executed eval() function on the code, retrieved via HTTP protocol in Lib/test/multibytecodec_support.py CJK codec tests. A remote attacker with ability to intercept network traffic can perform a Man-in-the-Middle (MitM) attack and execute arbitrary Python code on the system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Input validation error

EUVDB-ID: #VU50814

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23336

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform web cache spoofing attack.

The vulnerability exists due to insufficient validation of user-supplied input in django.utils.http.limited_parse_qsl() when parsing strings with a semicolon (";"). A remote attacker can pass specially crafted data to the application and perform a spoofing attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper input validation

EUVDB-ID: #VU55056

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-29921

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Python interpreter and runtime (CPython) component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Buffer overflow

EUVDB-ID: #VU49973

Risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-3177

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary within the PyCArg_repr in _ctypes/callproc.c. A remote attacker can pass specially crafted input to the Python applications that accept floating-point numbers as untrusted input, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper input validation

EUVDB-ID: #VU60098

Risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3426

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Binding Support Function (Python) component in Oracle Communications Cloud Native Core Binding Support Function. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

python38-wheel-wheel: before 0.33.6-6

python38-wheel: before 0.33.6-6

python38-wcwidth: before 0.1.7-16

python38-urllib3: before 1.25.7-5

python38-setuptools-wheel: before 41.6.0-5

python38-setuptools: before 41.6.0-5

python38-rpm-macros: before 3.8.12-1.0.1

python38-pytest: before 4.6.6-3

python38-pyparsing: before 2.4.5-3

python38-py: before 1.8.0-8

python38-pluggy: before 0.13.0-3

python38-pip-wheel: before 19.3.1-5

python38-pip: before 19.3.1-5

python38-packaging: before 19.2-3

python38-numpy-doc: before 1.17.3-6

python38-more-itertools: before 7.2.0-5

python38-jinja2: before 2.10.3-5

python38-babel: before 2.7.0-11

python38-attrs: before 19.3.0-3

python38-atomicwrites: before 1.3.0-8

python38-tkinter: before 3.8.12-1.0.1

python38-test: before 3.8.12-1.0.1

python38-psutil: before 5.6.4-4

python38-numpy-f2py: before 1.17.3-6

python38-numpy: before 1.17.3-6

python38-lxml: before 4.4.1-7

python38-libs: before 3.8.12-1.0.1

python38-idle: before 3.8.12-1.0.1

python38-devel: before 3.8.12-1.0.1

python38-debug: before 3.8.12-1.0.1

python38: before 3.8.12-1.0.1

python38-six: before 1.12.0-10

python38-requests: before 2.22.0-9

python38-pytz: before 2019.3-3

python38-pysocks: before 1.7.1-4

python38-pycparser: before 2.19-3

python38-ply: before 3.11-10

python38-idna: before 2.8-6

python38-chardet: before 3.0.4-19

python38-asn1crypto: before 1.2.0-3

python38-PyMySQL: before 0.10.1-1

python38-scipy: before 1.3.1-4

python38-pyyaml: before 5.4.1-1

python38-psycopg2-tests: before 2.8.4-4

python38-psycopg2-doc: before 2.8.4-4

python38-psycopg2: before 2.8.4-4

python38-mod_wsgi: before 4.6.8-3

python38-markupsafe: before 1.1.1-6

python38-cryptography: before 2.8-3

python38-cffi: before 1.13.2-3

python38-Cython: before 0.29.14-4

CPE2.3 External links

https://anas.openanolis.cn/errata/detail/ANSA-2022:0403


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###