Msrc Cbl2 Python-Virtualenv 20.26.6-1 On Cbl Mariner 2.0 vulnerabilities

CVE-2025-50181 [MEDIUM] CWE-601 urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation urllib3 redirects are not disabled when retries are disabled on PoolManager instantiation FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most rec

CVE-2024-47081 [MEDIUM] CWE-522 Requests vulnerable to .netrc credentials leak via malicious URLs Requests vulnerable to .netrc credentials leak via malicious URLs FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source

CVE-2025-47273 [HIGH] CWE-22 setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it

CVE-2024-53899 [HIGH] CWE-77 virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287. FAQ: Is Azure Linux the only Microsoft product that

CVE-2024-3651 [HIGH] CWE-400 Denial of Service via Quadratic Complexity in kjd/idna Denial of Service via Quadratic Complexity in kjd/idna FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the

CVE-2024-6345 [HIGH] CWE-94 Remote Code Execution in pypa/setuptools Remote Code Execution in pypa/setuptools FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft

CVE-2024-37891 [MEDIUM] CWE-669 Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 Proxy-Authorization request header isn't stripped during cross-origin redirects in urllib3 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most r

CVE-2023-5752 [MEDIUM] CWE-77 Mercurial configuration injectable in repo revision when installing via pip Mercurial configuration injectable in repo revision when installing via pip FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions o

CVE-2018-25091 [CRITICAL] CWE-601 urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in t urllib3 before 1.24.2 does not remove the authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the authorization header to be exposed to unintended hosts or tran

CVE-2023-43804 [MEDIUM] CWE-200 `Cookie` HTTP header isn't stripped on cross-origin redirects `Cookie` HTTP header isn't stripped on cross-origin redirects FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source librarie

CVE-2023-45803 [MEDIUM] CWE-200 Request body not stripped after redirect in urllib3 Request body not stripped after redirect in urllib3 FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the dis

CVE-2022-40897 [MEDIUM] CWE-1333 Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. FAQ: Is Azure Lin

CVE-2021-3572 [MEDIUM] CWE-20 A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote attacker could possibly use this issue to install a different revision on a repository. The highest threat from this vulnerability is to data integrity. This is fixed in

CVE-2021-33503 [HIGH] CWE-400 An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking c An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or red

CVE-2019-20916 [HIGH] CWE-22 The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command because a Content-Disposition header can have ../ in a filename as demonstrated by overwriti The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command because a Content-Disposition header can have ../ in a filename as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_

CVE-2020-26137 [HIGH] CWE-74 urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. FAQ: Is Azure Linux the only Microsoft

CVE-2019-11324 [HIGH] CWE-295 The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succe The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outco

CVE-2019-11236 [MEDIUM] CWE-93 In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter. In the urllib3 library through 1.24.1 for Python CRLF injection is possible if the attacker controls the request parameter. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Lin