Filtered by vendor Redhat Subscriptions
Filtered by product Rhui Subscriptions
Total 29 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-23829 3 Aiohttp, Fedoraproject, Redhat 6 Aiohttp, Fedora, Ansible Automation Platform and 3 more 2024-11-12 6.5 Medium
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to protect against injection of additional requests. Additionally, validation could trigger exceptions that were not handled consistently with processing of other malformed input. Being more lenient than internet standards require could, depending on deployment environment, assist in request smuggling. The unhandled exception could cause excessive resource consumption on the application server and/or its logging facilities. This vulnerability exists due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability.
CVE-2023-50782 3 Couchbase, Cryptography.io, Redhat 7 Couchbase Server, Cryptography, Ansible Automation Platform and 4 more 2024-11-06 7.5 High
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2023-50781 2 M2crypto Project, Redhat 5 M2crypto, Enterprise Linux, Rhev Hypervisor and 2 more 2024-11-06 7.5 High
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2023-37276 3 Aio-libs Project, Aiohttp, Redhat 5 Aiohttp, Aiohttp, Rhui and 2 more 2024-10-18 5.3 Medium
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.
CVE-2023-47627 2 Aiohttp, Redhat 5 Aiohttp, Ansible Automation Platform, Rhui and 2 more 2024-10-11 5.3 Medium
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There are no known workarounds for these issues.
CVE-2024-7143 2 Pulpproject, Redhat 6 Pulp, Ansible Automation Platform, Ansible Automation Platform Developer and 3 more 2024-09-18 8.3 High
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
CVE-2023-49083 2 Cryptography.io, Redhat 4 Cryptography, Ansible Automation Platform, Enterprise Linux and 1 more 2024-09-05 5.9 Medium
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
CVE-2012-4574 2 Cloudforms Tools, Redhat 3 1, Cloudforms, Rhui 2024-08-06 N/A
Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.
CVE-2018-10917 2 Pulpproject, Redhat 4 Pulp, Rhui, Satellite and 1 more 2024-08-05 N/A
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
CVE-2021-44420 5 Canonical, Debian, Djangoproject and 2 more 7 Ubuntu Linux, Debian Linux, Django and 4 more 2024-08-04 7.3 High
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
CVE-2022-41323 2 Djangoproject, Redhat 4 Django, Rhui, Satellite and 1 more 2024-08-03 7.5 High
In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.
CVE-2022-40899 2 Pythoncharmers, Redhat 4 Python-future, Rhui, Satellite and 1 more 2024-08-03 7.5 High
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
CVE-2022-34265 2 Djangoproject, Redhat 4 Django, Rhui, Satellite and 1 more 2024-08-03 9.8 Critical
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
CVE-2022-28347 3 Debian, Djangoproject, Redhat 6 Debian Linux, Django, Ansible Automation Platform and 3 more 2024-08-03 9.8 Critical
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
CVE-2022-28346 3 Debian, Djangoproject, Redhat 7 Debian Linux, Django, Ansible Automation Platform and 4 more 2024-08-03 9.8 Critical
An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed **kwargs.
CVE-2023-49082 2 Aiohttp, Redhat 5 Aiohttp, Ansible Automation Platform, Rhui and 2 more 2024-08-02 5.3 Medium
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.
CVE-2023-49081 2 Aiohttp, Redhat 5 Aiohttp, Ansible Automation Platform, Rhui and 2 more 2024-08-02 7.2 High
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.
CVE-2023-43665 3 Djangoproject, Fedoraproject, Redhat 6 Django, Fedora, Ansible Automation Platform and 3 more 2024-08-02 7.5 High
In Django 3.2 before 3.2.22, 4.1 before 4.1.12, and 4.2 before 4.2.6, the django.utils.text.Truncator chars() and words() methods (when used with html=True) are subject to a potential DoS (denial of service) attack via certain inputs with very long, potentially malformed HTML text. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which are thus also vulnerable. NOTE: this issue exists because of an incomplete fix for CVE-2019-14232.
CVE-2023-41164 3 Djangoproject, Fedoraproject, Redhat 6 Django, Fedora, Ansible Automation Platform and 3 more 2024-08-02 7.5 High
In Django 3.2 before 3.2.21, 4.1 before 4.1.11, and 4.2 before 4.2.5, django.utils.encoding.uri_to_iri() is subject to a potential DoS (denial of service) attack via certain inputs with a very large number of Unicode characters.
CVE-2023-36053 4 Debian, Djangoproject, Fedoraproject and 1 more 8 Debian Linux, Django, Fedora and 5 more 2024-08-02 7.5 High
In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are subject to a potential ReDoS (regular expression denial of service) attack via a very large number of domain name labels of emails and URLs.