apk package
chainguard/datadog-agent-fips-7.74-core-integrations
pkg:apk/chainguard/datadog-agent-fips-7.74-core-integrations
Vulnerabilities (16)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6357 | Med | — | < 7.74.1-r12 | 7.74.1-r12 | Apr 27, 2026 | pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct | |
| CVE-2026-41066 | Hig | 7.5 | < 7.74.1-r9 | 7.74.1-r9 | Apr 24, 2026 | lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv | |
| CVE-2026-3219 | Med | — | < 7.74.1-r12 | 7.74.1-r12 | Apr 20, 2026 | pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior | |
| CVE-2026-39892 | Cri | 9.8 | < 7.74.1-r16 | 7.74.1-r16 | Apr 8, 2026 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner | |
| CVE-2026-34073 | Med | 5.3 | < 7.74.1-r16 | 7.74.1-r16 | Mar 31, 2026 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently | |
| CVE-2026-25645 | — | < 7.74.1-r7 | 7.74.1-r7 | Mar 25, 2026 | Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid | ||
| CVE-2026-4539 | Low | 3.3 | < 7.74.1-r18 | 7.74.1-r18 | Mar 22, 2026 | A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit | |
| CVE-2026-26007 | — | < 7.74.1-r16 | 7.74.1-r16 | Feb 10, 2026 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke | ||
| CVE-2026-1703 | Low | — | < 7.74.1-r4 | 7.74.1-r4 | Feb 2, 2026 | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat | |
| CVE-2026-24049 | — | < 7.74.1-r7 | 7.74.1-r7 | Jan 22, 2026 | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil | ||
| CVE-2026-23949 | — | < 7.74.1-r3 | 7.74.1-r3 | Jan 20, 2026 | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta | ||
| CVE-2025-69277 | Med | 4.5 | < 7.74.1-r2 | 7.74.1-r2 | Dec 31, 2025 | libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g | |
| CVE-2025-66471 | — | < 7.74.1-r12 | 7.74.1-r12 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu | ||
| CVE-2025-66418 | — | < 7.74.1-r12 | 7.74.1-r12 | Dec 5, 2025 | urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a | ||
| CVE-2025-50181 | — | < 7.74.1-r12 | 7.74.1-r12 | Jun 19, 2025 | urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl | ||
| CVE-2025-47273 | — | < 7.74.1-r18 | 7.74.1-r18 | May 17, 2025 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on |
- affected < 7.74.1-r12fixed 7.74.1-r12
pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferred to increase startup time of the pip CLI. The patch changes self-update funct
- affected < 7.74.1-r9fixed 7.74.1-r9
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML input to read local files. Setting the resolve_entities option explicitly to resolv
- affected < 7.74.1-r12fixed 7.74.1-r12
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior
- affected < 7.74.1-r16fixed 7.74.1-r16
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
- affected < 7.74.1-r16fixed 7.74.1-r16
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently
- CVE-2026-25645Mar 25, 2026affected < 7.74.1-r7fixed 7.74.1-r7
Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without valid
- affected < 7.74.1-r18fixed 7.74.1-r18
A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit
- CVE-2026-26007Feb 10, 2026affected < 7.74.1-r16fixed 7.74.1-r16
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
- affected < 7.74.1-r4fixed 7.74.1-r4
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situat
- CVE-2026-24049Jan 22, 2026affected < 7.74.1-r7fixed 7.74.1-r7
wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the fil
- CVE-2026-23949Jan 20, 2026affected < 7.74.1-r3fixed 7.74.1-r3
jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow atta
- affected < 7.74.1-r2fixed 7.74.1-r2
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
- CVE-2025-66471Dec 5, 2025affected < 7.74.1-r12fixed 7.74.1-r12
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
- CVE-2025-66418Dec 5, 2025affected < 7.74.1-r12fixed 7.74.1-r12
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
- CVE-2025-50181Jun 19, 2025affected < 7.74.1-r12fixed 7.74.1-r12
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
- CVE-2025-47273May 17, 2025affected < 7.74.1-r18fixed 7.74.1-r18
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on