apk package

chainguard/airflow-3

pkg:apk/chainguard/airflow-3

Vulnerabilities (98)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-57804	Med	—	< 3.0.6-r0	3.0.6-r0	Aug 25, 2025	h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to
CVE-2025-54121	Med	5.3	< 3.0.3-r3	3.0.3-r3	Jul 21, 2025	Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl
CVE-2025-53643		—	< 3.2.0-r0	3.2.0-r0	Jul 14, 2025	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
CVE-2025-48924		—	< 3.2.0-r0	3.2.0-r0	Jul 11, 2025	Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
CVE-2025-50213		—	< 3.1.2-r0	3.1.2-r0	Jun 24, 2025	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExter
CVE-2025-50182		—	< 3.0.2-r2	3.0.2-r2	Jun 19, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2025-50181		—	< 3.0.2-r2	3.0.2-r2	Jun 19, 2025	urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
CVE-2024-47081	Med	5.3	< 3.0.1-r1	3.0.1-r1	Jun 9, 2025	Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-5279	Hig	—	< 3.0.1-r1	3.0.1-r1	May 27, 2025	When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r
CVE-2025-32962		—	< 3.0.1-r1	3.0.1-r1	May 16, 2025	Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_
CVE-2025-47287		—	< 3.0.1-r1	3.0.1-r1	May 15, 2025	Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
CVE-2025-47278	Low	—	< 3.0.1-r1	3.0.1-r1	May 13, 2025	Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` librar
CVE-2024-49767		—	< 3.0.1-r1	3.0.1-r1	Oct 25, 2024	Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively
CVE-2024-49766		—	< 3.2.0-r0	3.2.0-r0	Oct 25, 2024	Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended
CVE-2024-34069		—	< 3.0.1-r1	3.0.1-r1	May 6, 2024	Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain
CVE-2024-23342		—	< 3.2.2-r0	3.2.2-r0	Jan 22, 2024	The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior
CVE-2023-48022		—	< 0	0	Nov 28, 2023	Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network
CVE-2023-46136	Hig	8.0	< 3.0.1-r1	3.0.1-r1	Oct 25, 2023	Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are

CVE-2025-57804MedAug 25, 2025
affected < 3.0.6-r0fixed 3.0.6-r0
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to
CVE-2025-54121MedJul 21, 2025
affected < 3.0.3-r3fixed 3.0.3-r3
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl
CVE-2025-53643Jul 14, 2025
affected < 3.2.0-r0fixed 3.2.0-r0
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
CVE-2025-48924Jul 11, 2025
affected < 3.2.0-r0fixed 3.2.0-r0
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
CVE-2025-50213Jun 24, 2025
affected < 3.1.2-r0fixed 3.1.2-r0
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExter
CVE-2025-50182Jun 19, 2025
affected < 3.0.2-r2fixed 3.0.2-r2
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2025-50181Jun 19, 2025
affected < 3.0.2-r2fixed 3.0.2-r2
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
CVE-2024-47081MedJun 9, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-5279HigMay 27, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r
CVE-2025-32962May 16, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_
CVE-2025-47287May 15, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
CVE-2025-47278LowMay 13, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` librar
CVE-2024-49767Oct 25, 2024
affected < 3.0.1-r1fixed 3.0.1-r1
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively
CVE-2024-49766Oct 25, 2024
affected < 3.2.0-r0fixed 3.2.0-r0
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended
CVE-2024-34069May 6, 2024
affected < 3.0.1-r1fixed 3.0.1-r1
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain
CVE-2024-23342Jan 22, 2024
affected < 3.2.2-r0fixed 3.2.2-r0
The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior
CVE-2023-48022Nov 28, 2023
affected < 0fixed 0
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network
CVE-2023-46136HigOct 25, 2023
affected < 3.0.1-r1fixed 3.0.1-r1
Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are

Page 5 of 5