apk package
chainguard/kserve-router-compat
pkg:apk/chainguard/kserve-router-compat
Vulnerabilities (36)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45341 | Med | 6.1 | < 0.14.1-r2 | 0.14.1-r2 | Jan 28, 2025 | A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. | |
| CVE-2024-45336 | Med | 6.1 | < 0.14.1-r2 | 0.14.1-r2 | Jan 28, 2025 | The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re | |
| CVE-2024-56326 | — | < 0.14.1-r0 | 0.14.1-r0 | Dec 23, 2024 | Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t | ||
| CVE-2024-56201 | — | < 0.14.1-r0 | 0.14.1-r0 | Dec 23, 2024 | Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit | ||
| CVE-2024-45338 | Med | 5.3 | < 0.14.0-r3 | 0.14.0-r3 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 0.14.0-r0 | 0.14.0-r0 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-52304 | — | < 0.14.0-r0 | 0.14.0-r0 | Nov 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai | ||
| CVE-2024-47874 | Hig | — | < 0 | 0 | Oct 15, 2024 | Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a | |
| CVE-2024-47554 | — | < 0.14.0-r0 | 0.14.0-r0 | Oct 3, 2024 | Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are | ||
| CVE-2024-34158 | Hig | 7.5 | < 0.13.1-r5 | 0.13.1-r5 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 0.13.1-r5 | 0.13.1-r5 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 0.13.1-r5 | 0.13.1-r5 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-42367 | — | < 0.13.1-r3 | 0.13.1-r3 | Aug 9, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director | ||
| CVE-2024-3651 | — | < 0.13.1-r3 | 0.13.1-r3 | Jul 7, 2024 | A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co | ||
| CVE-2024-30251 | — | < 0.13.1-r3 | 0.13.1-r3 | May 2, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process | ||
| CVE-2024-27306 | — | < 0.13.1-r3 | 0.13.1-r3 | Apr 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. |
- affected < 0.14.1-r2fixed 0.14.1-r2
A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
- affected < 0.14.1-r2fixed 0.14.1-r2
The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain re
- CVE-2024-56326Dec 23, 2024affected < 0.14.1-r0fixed 0.14.1-r0
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t
- CVE-2024-56201Dec 23, 2024affected < 0.14.1-r0fixed 0.14.1-r0
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit
- affected < 0.14.0-r3fixed 0.14.0-r3
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 0.14.0-r0fixed 0.14.0-r0
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- CVE-2024-52304Nov 18, 2024affected < 0.14.0-r0fixed 0.14.0-r0
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
- affected < 0fixed 0
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a
- CVE-2024-47554Oct 3, 2024affected < 0.14.0-r0fixed 0.14.0-r0
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
- affected < 0.13.1-r5fixed 0.13.1-r5
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 0.13.1-r5fixed 0.13.1-r5
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 0.13.1-r5fixed 0.13.1-r5
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-42367Aug 9, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
- CVE-2024-3651Jul 7, 2024affected < 0.13.1-r3fixed 0.13.1-r3
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
- CVE-2024-30251May 2, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
- CVE-2024-27306Apr 18, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.
Page 2 of 2