https://vulnerability.circl.lu/rss/recent/pysec/10 Most recent entries from pysec 2025-02-09T20:51:23.373584+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent entries. https://vulnerability.circl.lu/vuln/pysec-2024-27 pysec-2024-27 2025-02-09T20:51:23.378685+00:00 CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231) https://vulnerability.circl.lu/vuln/pysec-2024-224 pysec-2024-224 2025-02-09T20:51:23.378670+00:00 Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called. https://vulnerability.circl.lu/vuln/pysec-2024-83 pysec-2024-83 2025-02-09T20:51:23.378656+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction. https://vulnerability.circl.lu/vuln/pysec-2024-84 pysec-2024-84 2025-02-09T20:51:23.378641+00:00 Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it. https://vulnerability.circl.lu/vuln/pysec-2024-85 pysec-2024-85 2025-02-09T20:51:23.378626+00:00 Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. https://vulnerability.circl.lu/vuln/pysec-2023-278 pysec-2023-278 2025-02-09T20:51:23.378612+00:00 MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue. https://vulnerability.circl.lu/vuln/pysec-2024-82 pysec-2024-82 2025-02-09T20:51:23.378597+00:00 Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with. https://vulnerability.circl.lu/vuln/pysec-2024-225 pysec-2024-225 2025-02-09T20:51:23.378581+00:00 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. https://vulnerability.circl.lu/vuln/pysec-2024-226 pysec-2024-226 2025-02-09T20:51:23.378559+00:00 Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. https://vulnerability.circl.lu/vuln/pysec-2024-111 pysec-2024-111 2025-02-09T20:51:23.378511+00:00 A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.