VYPR

apk package

chainguard/awx

pkg:apk/chainguard/awx

Vulnerabilities (120)

  • CVE-2025-61912Oct 10, 2025
    affected < 24.6.1-r18fixed 24.6.1-r18

    python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that us

  • CVE-2025-61911Oct 10, 2025
    affected < 24.6.1-r18fixed 24.6.1-r18

    python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `ass

  • CVE-2025-59682Oct 1, 2025
    affected < 24.6.1-r17fixed 24.6.1-r17

    An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. The django.utils.archive.extract() function, used by the "startapp --template" and "startproject --template" commands, allows partial directory traversal via an archive with file paths s

  • CVE-2025-59681Oct 1, 2025
    affected < 24.6.1-r17fixed 24.6.1-r17

    An issue was discovered in Django 4.2 before 4.2.25, 5.1 before 5.1.13, and 5.2 before 5.2.7. QuerySet.annotate(), QuerySet.alias(), QuerySet.aggregate(), and QuerySet.extra() are subject to SQL injection in column aliases, when using a suitably crafted dictionary, with dictionar

  • CVE-2025-57833Sep 3, 2025
    affected < 24.6.1-r14fixed 24.6.1-r14

    An issue was discovered in Django 4.2 before 4.2.24, 5.1 before 5.1.12, and 5.2 before 5.2.6. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed QuerySet.annotate() or QuerySet.ali

  • CVE-2025-50182Jun 19, 2025
    affected < 24.6.1-r19fixed 24.6.1-r19

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 24.6.1-r33fixed 24.6.1-r33

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2025-4565Jun 16, 2025
    affected < 24.6.1-r9fixed 24.6.1-r9

    Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of s

  • CVE-2024-47081MedJun 9, 2025
    affected < 0fixed 0

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-48432Jun 5, 2025
    affected < 24.6.1-r8fixed 24.6.1-r8

    An issue was discovered in Django 5.2 before 5.2.3, 5.1 before 5.1.11, and 4.2 before 4.2.23. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forger

  • CVE-2025-47273May 17, 2025
    affected < 0fixed 0

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2025-32873May 8, 2025
    affected < 24.6.1-r6fixed 24.6.1-r6

    An issue was discovered in Django 4.2 before 4.2.21, 5.1 before 5.1.9, and 5.2 before 5.2.1. The django.utils.html.strip_tags() function is vulnerable to a potential denial-of-service (slow performance) when processing inputs containing large sequences of incomplete HTML tags. Th

  • CVE-2025-26699Mar 6, 2025
    affected < 24.6.1-r4fixed 24.6.1-r4

    An issue was discovered in Django 5.1 before 5.1.7, 5.0 before 5.0.13, and 4.2 before 4.2.20. The django.utils.text.wrap() method and wordwrap template filter are subject to a potential denial-of-service attack when used with very long strings.

  • CVE-2024-56374Jan 14, 2025
    affected < 24.6.1-r3fixed 24.6.1-r3

    An issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11, and 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings passed when performing IPv6 validation could lead to a potential denial-of-service attack. The undocumented and private functions clean_i

  • CVE-2024-53908Dec 6, 2024
    affected < 24.6.1-r2fixed 24.6.1-r2

    An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that

  • CVE-2024-53907Dec 6, 2024
    affected < 24.6.1-r2fixed 24.6.1-r2

    An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities

  • CVE-2024-52304Nov 18, 2024
    affected < 24.6.1-r2fixed 24.6.1-r2

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai

  • CVE-2024-33664Apr 25, 2024
    affected < 24.6.1-r19fixed 24.6.1-r19

    python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

  • CVE-2024-33663Apr 25, 2024
    affected < 24.6.1-r19fixed 24.6.1-r19

    python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

  • CVE-2024-23342HigJan 23, 2024
    affected < 24.6.1-r33fixed 24.6.1-r33

    The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). Versions 0.18.0 and prior

Page 6 of 6