apk package

chainguard/kserve-storage-controller

pkg:apk/chainguard/kserve-storage-controller

Vulnerabilities (70)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-52304		—	< 0.14.0-r0	0.14.0-r0	Nov 18, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
CVE-2024-47874	Hig	—	< 0	0	Oct 15, 2024	Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a
CVE-2024-47554		—	< 0.14.0-r0	0.14.0-r0	Oct 3, 2024	Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
CVE-2024-34158	Hig	7.5	< 0.13.1-r5	0.13.1-r5	Sep 6, 2024	Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156	Hig	7.5	< 0.13.1-r5	0.13.1-r5	Sep 6, 2024	Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155	Med	4.3	< 0.13.1-r5	0.13.1-r5	Sep 6, 2024	Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-42367		—	< 0.13.1-r3	0.13.1-r3	Aug 9, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
CVE-2024-3651		—	< 0.13.1-r3	0.13.1-r3	Jul 7, 2024	A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-30251		—	< 0.13.1-r3	0.13.1-r3	May 2, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
CVE-2024-27306		—	< 0.13.1-r3	0.13.1-r3	Apr 18, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.

CVE-2024-52304Nov 18, 2024
affected < 0.14.0-r0fixed 0.14.0-r0
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
CVE-2024-47874HigOct 15, 2024
affected < 0fixed 0
Starlette is an Asynchronous Server Gateway Interface (ASGI) framework/toolkit. Prior to version 0.40.0, Starlette treats `multipart/form-data` parts without a `filename` as text form fields and buffers those in byte strings with no size limit. This allows an attacker to upload a
CVE-2024-47554Oct 3, 2024
affected < 0.14.0-r0fixed 0.14.0-r0
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
CVE-2024-34158HigSep 6, 2024
affected < 0.13.1-r5fixed 0.13.1-r5
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-34156HigSep 6, 2024
affected < 0.13.1-r5fixed 0.13.1-r5
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34155MedSep 6, 2024
affected < 0.13.1-r5fixed 0.13.1-r5
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-42367Aug 9, 2024
affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
CVE-2024-3651Jul 7, 2024
affected < 0.13.1-r3fixed 0.13.1-r3
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-30251May 2, 2024
affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
CVE-2024-27306Apr 18, 2024
affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.

Page 4 of 4