apk package
chainguard/kubeflow-centraldashboard
pkg:apk/chainguard/kubeflow-centraldashboard
Vulnerabilities (79)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-7339 | Low | 3.4 | < 1.10.0-r3 | 1.10.0-r3 | Jul 17, 2025 | on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receiv | |
| CVE-2025-5889 | Low | 3.1 | < 1.10.0-r1 | 1.10.0-r1 | Jun 9, 2025 | A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l | |
| CVE-2025-27152 | — | < 1.9.2-r5 | 1.9.2-r5 | Mar 7, 2025 | axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka | ||
| CVE-2025-1302 | Cri | 9.8 | < 1.9.2-r5 | 1.9.2-r5 | Feb 15, 2025 | Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an | |
| CVE-2024-52798 | Hig | — | < 1.9.2-r3 | 1.9.2-r3 | Dec 5, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path | |
| CVE-2024-21534 | Cri | 9.8 | < 1.9.2-r4 | 1.9.2-r4 | Oct 11, 2024 | All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i | |
| CVE-2024-47764 | Med | — | < 1.9.1-r1 | 1.9.1-r1 | Oct 4, 2024 | cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo | |
| CVE-2024-45590 | — | < 1.9.0-r4 | 1.9.0-r4 | Sep 10, 2024 | body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is | ||
| CVE-2024-43800 | — | < 1.9.0-r4 | 1.9.0-r4 | Sep 10, 2024 | serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. | ||
| CVE-2024-43799 | — | < 1.9.0-r4 | 1.9.0-r4 | Sep 10, 2024 | Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. | ||
| CVE-2024-43796 | — | < 1.9.0-r4 | 1.9.0-r4 | Sep 10, 2024 | Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | ||
| CVE-2024-45296 | Hig | 7.5 | < 1.9.0-r3 | 1.9.0-r3 | Sep 9, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will | |
| CVE-2024-39338 | — | < 1.9.0-r1 | 1.9.0-r1 | Aug 9, 2024 | axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. | ||
| CVE-2024-37890 | Hig | 7.5 | < 1.8.0-r5 | 1.8.0-r5 | Jun 17, 2024 | ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e | |
| CVE-2024-37168 | Med | 5.3 | < 1.8.0-r5 | 1.8.0-r5 | Jun 10, 2024 | @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` chann | |
| CVE-2024-29041 | — | < 1.8.0-r3 | 1.8.0-r3 | Mar 25, 2024 | Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres | ||
| CVE-2024-28849 | — | < 1.8.0-r3 | 1.8.0-r3 | Mar 14, 2024 | follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which | ||
| CVE-2023-26159 | — | < 1.8.0-r1 | 1.8.0-r1 | Jan 2, 2024 | Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this | ||
| CVE-2019-10790 | — | < 1.10.0-r19 | 1.10.0-r19 | Feb 17, 2020 | taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. Howev |
- affected < 1.10.0-r3fixed 1.10.0-r3
on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receiv
- affected < 1.10.0-r1fixed 1.10.0-r1
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be l
- CVE-2025-27152Mar 7, 2025affected < 1.9.2-r5fixed 1.9.2-r5
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka
- affected < 1.9.2-r5fixed 1.9.2-r5
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an
- affected < 1.9.2-r3fixed 1.9.2-r3
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path
- affected < 1.9.2-r4fixed 1.9.2-r4
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i
- affected < 1.9.1-r1fixed 1.9.1-r1
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
- CVE-2024-45590Sep 10, 2024affected < 1.9.0-r4fixed 1.9.0-r4
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is
- CVE-2024-43800Sep 10, 2024affected < 1.9.0-r4fixed 1.9.0-r4
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
- CVE-2024-43799Sep 10, 2024affected < 1.9.0-r4fixed 1.9.0-r4
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
- CVE-2024-43796Sep 10, 2024affected < 1.9.0-r4fixed 1.9.0-r4
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
- affected < 1.9.0-r3fixed 1.9.0-r3
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
- CVE-2024-39338Aug 9, 2024affected < 1.9.0-r1fixed 1.9.0-r1
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
- affected < 1.8.0-r5fixed 1.8.0-r5
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e
- affected < 1.8.0-r5fixed 1.8.0-r5
@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` chann
- CVE-2024-29041Mar 25, 2024affected < 1.8.0-r3fixed 1.8.0-r3
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
- CVE-2024-28849Mar 14, 2024affected < 1.8.0-r3fixed 1.8.0-r3
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which
- CVE-2023-26159Jan 2, 2024affected < 1.8.0-r1fixed 1.8.0-r1
Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this
- CVE-2019-10790Feb 17, 2020affected < 1.10.0-r19fixed 1.10.0-r19
taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB. Howev
Page 4 of 4