Ubuntu update for python3.10
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 41 |
| CVE-ID | CVE-2015-20107 CVE-2018-1060 CVE-2018-1061 CVE-2018-14647 CVE-2018-20406 CVE-2018-20852 CVE-2019-9636 CVE-2019-10160 CVE-2019-16056 CVE-2019-16935 CVE-2019-17514 CVE-2019-18348 CVE-2019-20907 CVE-2019-5010 CVE-2019-9674 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2020-14422 CVE-2020-26116 CVE-2020-27619 CVE-2021-3177 CVE-2020-8492 CVE-2021-29921 CVE-2021-3426 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-0391 CVE-2022-42919 CVE-2022-45061 CVE-2023-24329 CVE-2022-48560 CVE-2022-48564 CVE-2022-48565 CVE-2022-48566 CVE-2023-40217 CVE-2023-41105 CVE-2023-6507 CVE-2023-6597 CVE-2024-0450 |
| CWE-ID | CWE-78 CWE-20 CWE-611 CWE-190 CWE-200 CWE-79 CWE-74 CWE-835 CWE-476 CWE-400 CWE-93 CWE-749 CWE-94 CWE-119 CWE-399 CWE-918 CWE-502 CWE-416 CWE-362 CWE-319 CWE-22 CWE-61 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #10 is available. Public exploit code for vulnerability #14 is available. Public exploit code for vulnerability #16 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #18 is available. Public exploit code for vulnerability #23 is available. |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system python3.6-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.8-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.8 (Ubuntu package) Operating systems & Components / Operating system package or component python3.10-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.10 (Ubuntu package) Operating systems & Components / Operating system package or component python3.12-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.12 (Ubuntu package) Operating systems & Components / Operating system package or component python3.11-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.11 (Ubuntu package) Operating systems & Components / Operating system package or component python3.5-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.6 (Ubuntu package) Operating systems & Components / Operating system package or component python3.7 (Ubuntu package) Operating systems & Components / Operating system package or component python3.7-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.9 (Ubuntu package) Operating systems & Components / Operating system package or component python3.9-minimal (Ubuntu package) Operating systems & Components / Operating system package or component python3.5 (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 41 vulnerabilities.
1) OS Command Injection
EUVDB-ID: #VU64573
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-20107
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the mailcap module, which does not escape characters into commands discovered in the system mailcap file. A remote unauthenticated attacker can pass specially crafted data to the applications that call mailcap.findmatch with untrusted input and execute arbitrary OS commands on the target system.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU12283
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1060
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on he target system.
The weakness exists due to the way catastrophic backtracking was implemented in apop() method in pop3lib. A remote attacker can cause the service to crash.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU12282
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1061
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on he target system.
The weakness exists due to the way catastrophic backtracking was implemented in python's difflib.IS_LINE_JUNK method difflib. A remote attacker can cause the service to crash.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) XXE attack
EUVDB-ID: #VU15760
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14647
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct XXE-attack.
The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input, trigger pathological hash collisions in Expat's internal data structures, consume large amounts CPU and RAM, and cause a denial of service (DoS) condition.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer overflow
EUVDB-ID: #VU18403
Risk: Low
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20406
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to integer overflow in modules/_pickle.c when processing a large LONG_BINPUT value during the "resize to twice the size" attempt. A remote attacker can supply overly large data, trigger integer overflow and exhaust all resources on the system.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Information disclosure
EUVDB-ID: #VU19256
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20852
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the "http.cookiejar.DefaultPolicy.domain_return_ok" in the "Lib/http/cookiejar.py" file returns incorrect results during cookie domain checks. A remote attacker can trick a victim to execute a program that uses the "http.cookiejar.DefaultPolicy" to make an HTTP connection to an attacker-controlled server with a hostname that has another valid hostname as a suffix.
Successful exploitation of this vulnerability can allow an attacker to gain unauthorized access to sensitive information on the system, such as existing cookies. Mitigation
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Input validation error
EUVDB-ID: #VU18355
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9636
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input when processing data in Unicode encoding with an incorrect netloc during NFKC normalization. A remote attacker can gain access to sensitive information.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU20071
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10160
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user and password parts of a URL. This issue exists due to incorrect patch for previous issue described in SB2019030811 (CVE-2019-9636). A remote attacker can gain access to sensitive information.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Input validation error
EUVDB-ID: #VU22617
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16056
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input when processing multiple occurrences of the "@" character in an email address. An application that uses the email module and implements some kind of
checks on the From/To headers of a message could be tricked into
accepting an email address that should be denied.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Cross-site scripting
EUVDB-ID: #VU21440
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-16935
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing the server_title field in the XML-RPC server (Lib/DocXMLRPCServer.py) in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Input validation error
EUVDB-ID: #VU35161
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-17514
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
library/glob.html in the Python 2 and 3 documentation before 2016 has potentially misleading information about whether sorting occurs, as demonstrated by irreproducible cancer-research results. NOTE: the effects of this documentation cross application domains, and thus it is likely that security-relevant code elsewhere is affected. This issue is not a Python implementation bug, and there are no reports that NMR researchers were specifically relying on library/glob.html. In other words, because the older documentation stated "finds all the pathnames matching a specified pattern according to the rules used by the Unix shell," one might have incorrectly inferred that the sorting that occurs in a Unix shell also occurred for glob.glob. There is a workaround in newer versions of Willoughby nmr-data_compilation-p2.py and nmr-data_compilation-p3.py, which call sort() directly.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) CRLF injection
EUVDB-ID: #VU31958
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18348
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Infinite loop
EUVDB-ID: #VU32881
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-20907
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop In Lib/tarfile.py in Python. A remote attacker can create a specially crafted TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) NULL pointer dereference
EUVDB-ID: #VU17805
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-5010
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the X509 certificate parser of the affected software improperly handles X509 certificates with a certificate extension that uses a Certificate Revocation List (CRL) distribution point with empty distributionPoint and cRLIssuer fields. A remote attacker can send a request to initiate a Transport Layer Security (TLS) connection using an X509 certificate that submits malicious input, trigger a NULL pointer dereference condition that causes the application to crash, resulting in a DoS condition.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
15) Resource exhaustion
EUVDB-ID: #VU25630
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9674
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in Lib/zipfile.py in Python when processing ZIP archives. A remote attacker can pass a specially crafted .zip archive to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) CRLF injection
EUVDB-ID: #VU18829
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9740
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL after the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
17) CRLF injection
EUVDB-ID: #VU18828
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9947
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CRLF injection attacks.
The vulnerability exists within urllib2 implementation for Python 2.x and urllib3 implementation for Python 3.x when processing the path component of a URL that lacks the "?" character within the urllib.request.urlopen() call. A remote attacker with ability to control URL, passed to the application, can use CRLF sequences to split the HTTP request and inject arbitrary HTTP headers into request, made by the application.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
18) Exposed dangerous method or function
EUVDB-ID: #VU18827
Risk: Medium
CVSSv3.1: 6.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-9948
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to urllib implementation in Python 2.x supports the local_file: scheme. An attacker with ability to control input data, such as URL, can bypass protection mechanisms that blacklist file: URIs and view contents of arbitrary file on the system.
PoC:
urllib.urlopen('local_file:///etc/passwd')
Mitigation
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
19) Resource exhaustion
EUVDB-ID: #VU29544
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-14422
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application improperly computes hash values in the IPv4Interface and IPv6Interface classes within the Lib/ipaddress.py in Python. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) CRLF injection
EUVDB-ID: #VU48592
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-26116
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data in "http.client". A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Code Injection
EUVDB-ID: #VU50621
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-27619
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to Python executed eval() function on the code, retrieved via HTTP protocol in Lib/test/multibytecodec_support.py CJK codec tests. A remote attacker with ability to intercept network traffic can perform a Man-in-the-Middle (MitM) attack and execute arbitrary Python code on the system.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Buffer overflow
EUVDB-ID: #VU49973
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3177
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary within the PyCArg_repr in _ctypes/callproc.c. A remote attacker can pass specially crafted input to the Python applications that accept floating-point numbers as untrusted input, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Resource management error
EUVDB-ID: #VU25631
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-8492
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
24) Improper input validation
EUVDB-ID: #VU55056
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-29921
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Python interpreter and runtime (CPython) component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Improper input validation
EUVDB-ID: #VU60098
Risk: Medium
CVSSv3.1: 5 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3426
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Binding Support Function (Python) component in Oracle Communications Cloud Native Core Binding Support Function. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Resource management error
EUVDB-ID: #VU58295
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3733
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application within the AbstractBasicAuthHandler class in urllib. A remote attacker with control over the server can perform regular expression denial of service attack during authentication.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Infinite loop
EUVDB-ID: #VU59089
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3737
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop. A remote attacker who controls a malicious server can force the client to enter an infinite loop on a 100 Continue response.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Server-Side Request Forgery (SSRF)
EUVDB-ID: #VU61681
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-4189
CWE-ID:
CWE-918 - Server-Side Request Forgery (SSRF)
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the FTP (File Transfer Protocol) client library when using it in PASV (passive) mode. A remote attacker can set up a malicious FTP server, trick the FTP client in Python into connecting back to a given IP address and port, which can lead to FTP client scanning ports which otherwise would not have been possible.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) CRLF injection
EUVDB-ID: #VU61675
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-0391
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data within the urllib.parse module in Python. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Deserialization of Untrusted Data
EUVDB-ID: #VU69391
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-42919
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to Python multiprocessing library, when used with the forkserver start method on Linux allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine.A local user can execute arbitrary code with privileges of the user running the any forkserver process.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Resource exhaustion
EUVDB-ID: #VU69392
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-45061
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to usage of an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. A remote attacker can pass a specially crafted name to he decoder, trigger resource excessive CPU consumption and perform a denial of service (DoS) attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Input validation error
EUVDB-ID: #VU72618
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-24329
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented filters.
The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Use-after-free
EUVDB-ID: #VU82078
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-48560
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to use-after-free exists via heappushpop in heapq. A remote attacker can trigger the vulnerability to perform a denial of service attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Resource exhaustion
EUVDB-ID: #VU82077
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-48564
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability occurs when processing malformed Apple Property List files in binary format. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) XML External Entity injection
EUVDB-ID: #VU80564
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-48565
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the plistlib module. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Race condition
EUVDB-ID: #VU82079
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-48566
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information,
The vulnerability exists due to a race condition in compare_digest in Lib/hmac.py. A remote attacker can exploit the race and gain unauthorized access to sensitive information.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Cleartext transmission of sensitive information
EUVDB-ID: #VU80228
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-40217
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Path traversal
EUVDB-ID: #VU80585
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-41105
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Improper input validation
EUVDB-ID: #VU88577
Risk: Medium
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6507
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to manipulate data.
The vulnerability exists due to improper input validation within the Third Party (Python) component in Oracle Communications Cloud Native Core Network Data Analytics Function. A remote privileged user can exploit this vulnerability to manipulate data.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) UNIX symbolic link following
EUVDB-ID: #VU87185
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-6597
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local user to delete arbitrary files on the system.
The vulnerability exists due to a symlink following issue during cleanup when handling temporary files. A local user can create a specially crafted symbolic link to a critical file on the system and delete it.
Update the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Resource exhaustion
EUVDB-ID: #VU87685
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-0450
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package python3.10 to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
python3.6-minimal (Ubuntu package): before Ubuntu Pro
python3.8-minimal (Ubuntu package): before Ubuntu Pro
python3.8 (Ubuntu package): before Ubuntu Pro
python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.4
python3.10 (Ubuntu package): before 3.10.12-1~22.04.4
python3.12-minimal (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.12 (Ubuntu package): before 3.12.0-1ubuntu0.1
python3.11-minimal (Ubuntu package): before Ubuntu Pro
python3.11 (Ubuntu package): before Ubuntu Pro
python3.5-minimal (Ubuntu package): before Ubuntu Pro
python3.6 (Ubuntu package): before Ubuntu Pro
python3.7 (Ubuntu package): before Ubuntu Pro
python3.7-minimal (Ubuntu package): before Ubuntu Pro
python3.9 (Ubuntu package): before Ubuntu Pro
python3.9-minimal (Ubuntu package): before Ubuntu Pro
python3.5 (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:23.10:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:18.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:16.04:*:*:*:*:*:*:
- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:
http://ubuntu.com/security/notices/USN-6891-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
