https://vulnerability.circl.lu/rss/recent/pysec/10Most recent entries from pysec2025-02-09T20:51:23.373584+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent entries.https://vulnerability.circl.lu/vuln/pysec-2024-27pysec-2024-272025-02-09T20:51:23.378685+00:00CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component. After configuring password authentication and_ Local_ In the case of an address, identity authentication can be bypassed by setting the X-Real IP request header to a specific value and accessing the Admin UI directly using the default user identity.(https://github.com/crate/crate/issues/15231)https://vulnerability.circl.lu/vuln/pysec-2024-224pysec-2024-2242025-02-09T20:51:23.378670+00:00Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf. This behavior can be exploited by a local attacker to gain elevated permissions by using a ToCToU attack. The issue is only relevant when the spark_udf() MLflow API is called.https://vulnerability.circl.lu/vuln/pysec-2024-83pysec-2024-832025-02-09T20:51:23.378656+00:00Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when used for a prediction.https://vulnerability.circl.lu/vuln/pysec-2024-84pysec-2024-842025-02-09T20:51:23.378641+00:00Deserialization of untrusted data can occur in versions 23.10.3.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when a ‘describe’ query is run on it.https://vulnerability.circl.lu/vuln/pysec-2024-85pysec-2024-852025-02-09T20:51:23.378626+00:00Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it.https://vulnerability.circl.lu/vuln/pysec-2023-278pysec-2023-2782025-02-09T20:51:23.378612+00:00MindsDB connects artificial intelligence models to real time data. Versions prior to 23.11.4.1 contain a limited file write vulnerability in `file.py` Users should use MindsDB's `staging` branch or v23.11.4.1, which contain a fix for the issue.https://vulnerability.circl.lu/vuln/pysec-2024-82pysec-2024-822025-02-09T20:51:23.378597+00:00Deserialization of untrusted data can occur in versions 23.3.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded model to run arbitrary code on the server when interacted with.https://vulnerability.circl.lu/vuln/pysec-2024-225pysec-2024-2252025-02-09T20:51:23.378581+00:00cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.https://vulnerability.circl.lu/vuln/pysec-2024-226pysec-2024-2262025-02-09T20:51:23.378559+00:00Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue.https://vulnerability.circl.lu/vuln/pysec-2024-111pysec-2024-1112025-02-09T20:51:23.378511+00:00A path traversal vulnerability exists in the `getFullPath` method of langchain-ai/langchainjs version 0.2.5. This vulnerability allows attackers to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete files. The vulnerability is exploited through the `setFileContent`, `getParsedFile`, and `mdelete` methods, which do not properly sanitize user input.