Safeguard
Tag

python-security

Safeguard articles tagged "python-security" — guides, analysis, and best practices for software supply chain and application security.

71 articles

Vulnerability Analysis

CVE-2021-33203: Path traversal via Django admindocs

CVE-2021-33203 let authenticated Django staff users traverse outside admindocs' template directory. Here's what's affected, real severity context, and how to remediate.

Oct 8, 20257 min read
Vulnerability Analysis

CVE-2021-33503: ReDoS in urllib3 URL authority parsing

CVE-2021-33503 exposes urllib3 before 1.26.5 to a ReDoS in URL authority parsing, letting attacker URLs exhaust CPU. What to patch and why.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2020-26137: CRLF injection in urllib3 header handling

CVE-2020-26137 let attackers inject CRLF sequences into urllib3-built HTTP requests. Here's the impact, affected versions, and how to remediate it.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2017-18342: Arbitrary code execution via PyYAML yaml....

CVE-2017-18342 lets attackers achieve remote code execution via PyYAML's yaml.load(), which deserialized untrusted YAML into live Python objects by default.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-1747: PyYAML full_load still allows code execution

CVE-2020-1747 shows PyYAML's FullLoader and full_load() could still trigger arbitrary code execution on untrusted YAML before 5.3.1. Here's the full breakdown.

Oct 6, 20258 min read
Vulnerability Analysis

CVE-2020-14343: PyYAML arbitrary code execution via pytho...

CVE-2020-14343 lets attackers run arbitrary code via PyYAML's python/object/new tag, bypassing an earlier FullLoader fix. Versions, CVSS, and remediation inside.

Oct 6, 20257 min read
Vulnerability Analysis

CVE-2022-22817: Arbitrary code execution in Pillow via Im...

CVE-2022-22817 lets attackers achieve arbitrary code execution via Pillow's ImageMath.eval() when environment data is attacker-controlled. Patch to 9.0.1+.

Oct 6, 20258 min read
Application Security

CVE-2021-25287: Buffer overflow in Pillow SGI decoder

A heap buffer overflow in Pillow's SGI image decoder (CVE-2021-25287) let crafted images corrupt memory. Here's the impact, fix, and remediation guidance.

Oct 5, 20258 min read
Vulnerability Analysis

CVE-2020-35654: Buffer over-read in Pillow PCX decoder

A buffer over-read in Pillow's PCX decoder (CVE-2020-35654) could crash image-processing services on crafted files. Here's the fix and detection guidance.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2020-35655: Decompression bomb DoS in Pillow

A crafted image file could force Pillow to over-allocate memory, causing denial of service. Here's what CVE-2020-35655 affects, its severity, and how to remediate it.

Oct 5, 20257 min read
Vulnerability Analysis

CVE-2023-50447: Arbitrary code execution via Pillow Image...

A patch bypass in Pillow's ImageMath.eval() reopens arbitrary code execution first flagged in CVE-2022-22817. Here's what changed and how to remediate it.

Oct 4, 20258 min read
Vulnerability Analysis

CVE-2019-1010083: Denial of service in Flask via large mu...

CVE-2019-1010083 let attackers crash Flask apps with crafted multipart requests. Here's the impact, affected versions, and how to remediate the DoS flaw.

Oct 3, 20257 min read
python-security (Page 5) — Safeguard Blog