Safeguard
Tag

python-security

Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.

71 articles

Vulnerability Analysis

urllib3 regular expression denial of service (CVE-2021-33503)

A deep dive into CVE-2021-33503, the urllib3 ReDoS flaw in Python's core HTTP library, its real-world exposure, and how to remediate it.

Dec 31, 20257 min read
Vulnerability Analysis

urllib3 cookie/auth header leak on cross-origin redirect (CVE-2023-43804)

CVE-2023-43804 lets urllib3 leak Cookie headers on cross-origin redirects. See affected versions, severity context, and how to remediate fast.

Dec 30, 20257 min read
Vulnerability Analysis

PyYAML full_load unsafe deserialization arbitrary code execution (CVE-2020-14343)

CVE-2020-14343 shows PyYAML's full_load/FullLoader "safe" fix was incomplete, enabling arbitrary code execution. Here's the fix and how to detect exposure.

Dec 30, 20257 min read
Vulnerability Analysis

PyYAML Loader arbitrary code execution (CVE-2017-18342)

PyYAML's default yaml.load() Loader lets attackers run arbitrary code via crafted YAML input. Here's how CVE-2017-18342 works and how to fix it.

Dec 30, 20257 min read
Vulnerability Analysis

IPython crafted directory code execution (CVE-2022-21699)

CVE-2022-21699 lets attackers plant crafted profile files in shared directories, triggering silent code execution when victims launch IPython or Jupyter sessions.

Dec 30, 20258 min read
Vulnerability Analysis

Python urllib.parse NFKC normalization blocklist bypass (CVE-2023-24329)

CVE-2023-24329 let attackers bypass URL blocklists via leading blank characters in Python's urllib.parse, enabling SSRF and filter evasion.

Dec 29, 20257 min read
Vulnerability Analysis

Python mailcap insecure shell command construction (CVE-2015-20107)

Python mailcap shell injection (CVE-2015-20107) lets attackers run arbitrary commands via unescaped filenames. Here is how to detect and fix it.

Dec 29, 20258 min read
Incident Analysis

ctx and colourama PyPI typosquat malware incident

The ctx and colourama PyPI typosquatting malware incident shows how account takeover and name-squatting delivered credential-stealing code to devs.

Dec 29, 20257 min read
Vulnerability Analysis

Django str.format denial of service (CVE-2023-41164)

CVE-2023-41164 lets attackers DoS Django apps via a str.format() flaw in uri_to_iri(). Here's what's affected, severity context, and how to fix it.

Dec 28, 20256 min read
Vulnerability Analysis

Django admin ChangeList path traversal (CVE-2021-33203)

CVE-2021-33203 is a staff-only path traversal in Django's admindocs TemplateDetailView. Here's what's affected, its CVSS/EPSS profile, and how to remediate it.

Dec 28, 20257 min read
Vulnerability Analysis

Werkzeug multipart form-data denial of service (CVE-2019-1010083)

CVE-2019-1010083 lets attackers crash Flask apps via crafted multipart form-data. Here's the CVSS score, timeline, and how to fix the Werkzeug DoS flaw.

Dec 27, 20258 min read
Vulnerability Analysis

Werkzeug multipart parser DoS (CVE-2023-46136)

A crafted multipart upload could pin Werkzeug workers at 100% CPU with no auth required. Here's what CVE-2023-46136 affects and how to fix it.

Dec 26, 20257 min read
python-security (Page 3) — Safeguard Blog