pip before 1.3 allows local users to overwrite arbitrary files via a symlink attack on a file in the /tmp/pip-build temporary directory.
References
https://nvd.nist.gov/vuln/detail/CVE-2013-1888
https://github.com/pypa/pip/issues/725
https://github.co…
pip before 1.3 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to a “pip install” operation.
R…
In the urllib3 library through 1.24.2 for Python, CRLF injection is possible if the attacker controls the request parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-11236
https://github.com/urllib3/urllib3/issues/1553
https://access.redha…
Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact …
The WS-SP UsernameToken policy in Apache CXF 2.4.5 and 2.5.1 allows remote attackers to bypass authentication by sending an empty UsernameToken as part of a SOAP request.
References
https://nvd.nist.gov/vuln/detail/CVE-2012-0803
https://lists.apache.o…
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, …
Apache CXF before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to execute unintended web-service operations by sending a header with a SOAP Action String that is inconsistent with the message body.
References
https://nvd.n…
The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers t…
The streaming XML parser in Apache CXF 2.5.x before 2.5.10, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to cause a denial of service (CPU and memory consumption) via crafted XML with a large number of (1) elements, (2) attributes…
nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka nnabla) prior to v1.0.10 relies on the HOME environment variable, which might be untrusted.
References
https://nvd.nist.gov/vuln/detail/CVE-2019-10844
https://github.com/sony/nnabla/…
