Vulnerabilities exist with the latest version(2.18.1) #4074
Description
The latest version contains following vulnerabilites,
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2019-12900 | critical | 9.80 | python | 3.8.10 | fixed in 3.10.3, 3.9.11, 3.8.13,... | > 5 years | < 1 hour | BZ2_decompress in decompress.c in bzip2 through |
| | | | | | > 5 years ago | | | 1.0.6 has an out-of-bounds write when there are |
| | | | | | | | | many selectors. |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2019-12900 | critical | 9.80 | python | 3.9.5 | fixed in 3.10.3, 3.9.11, 3.8.13,... | > 5 years | < 1 hour | BZ2_decompress in decompress.c in bzip2 through |
| | | | | | > 5 years ago | | | 1.0.6 has an out-of-bounds write when there are |
| | | | | | | | | many selectors. |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2018-25032 | high | 7.50 | python | 3.8.10 | fixed in 3.10.5, 3.9.13, 3.8.14,... | > 2 years | < 1 hour | zlib before 1.2.12 allows memory corruption when |
| | | | | | > 2 years ago | | | deflating (i.e., when compressing) if the input |
| | | | | | | | | has many distant matches. |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2018-25032 | high | 7.50 | python | 3.9.5 | fixed in 3.10.5, 3.9.13, 3.8.14,... | > 2 years | < 1 hour | zlib before 1.2.12 allows memory corruption when |
| | | | | | > 2 years ago | | | deflating (i.e., when compressing) if the input |
| | | | | | | | | has many distant matches. |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2016-3189 | medium | 6.50 | python | 3.8.10 | fixed in 3.10.3, 3.9.11, 3.8.13,... | > 8 years | < 1 hour | Use-after-free vulnerability in bzip2recover in |
| | | | | | > 8 years ago | | | bzip2 1.0.6 allows remote attackers to cause a |
| | | | | | | | | denial of service (crash) via a crafted bzip2 |
| | | | | | | | | file, rel... |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| CVE-2016-3189 | medium | 6.50 | python | 3.9.5 | fixed in 3.10.3, 3.9.11, 3.8.13,... | > 8 years | < 1 hour | Use-after-free vulnerability in bzip2recover in |
| | | | | | > 8 years ago | | | bzip2 1.0.6 allows remote attackers to cause a |
| | | | | | | | | denial of service (crash) via a crafted bzip2 |
| | | | | | | | | file, rel... |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+
| PRISMA-2022-0404 | medium | 5.30 | wheel | 0.34.2 | fixed in 0.38.0 | > 2 years | < 1 hour | wheel package versions before 0.38.0 are |
| | | | | | > 2 years ago | | | vulnerable to Regular Expression Denial of Service |
| | | | | | | | | (ReDoS) due to vulnerable regex at WHEEL_INFO_RE |
| | | | | | | | | in wheelf... |
+------------------+----------+------+---------+---------+-------------------------------------+-----------+------------+----------------------------------------------------+