base/oi/doa.py in the Rope library in CPython (aka Python) allows remote attackers to execute arbitrary code by leveraging an unsafe call to pickle.load.
References
https://nvd.nist.gov/vuln/detail/CVE-2014-3539
https://bugzilla.redhat.com/show_bug.cg…
An exploitable vulnerability exists in the Databook loading functionality of Tablib 0.11.4. A yaml loaded Databook can execute arbitrary python commands resulting in command execution. An attacker can insert python into loaded yaml to trigger this vuln…
diffoscope before 76 writes to arbitrary locations on disk based on the contents of an untrusted archive.
References
https://nvd.nist.gov/vuln/detail/CVE-2017-0359
https://security-tracker.debian.org/tracker/CVE-2017-0359
https://github.com/anthraxx/d…
An exploitable vulnerability exists in the YAML loading functionality of util.py in OwlMixin before 2.0.0a12. A “Load YAML” string or file (aka load_yaml or load_yamlf) can execute arbitrary Python commands resulting in command execution because load i…
An exploitable vulnerability exists in the YAML parsing functionality in the parse_yaml_query method in parser.py in MLAlchemy before 0.2.2. When processing YAML-Based queries for data, a YAML parser can execute arbitrary Python commands resulting in c…
webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone to a timing attack vulnerability on the WEBHOOK_AUTHORIZATION secret, which allows remote attackers to post arbitrary e-mail tracking events.
References
https://nvd.nist.gov/vuln/d…
Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access control vulnerability resulting in arbitrary filesystem read/write access. This vulnerability has been fixed in versions 1.12.1, 1.13.1, 1.14.1 and 1.15.1.
References
https://nvd.nist….
io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2018-8097
https://github.com/pyeve/eve/issues/1101
https://…
