apk package
chainguard/kubeflow-pipelines-cache-deployer-compat
pkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compat
Vulnerabilities (98)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45296 | Hig | 7.5 | < 2.2.0-r12 | 2.2.0-r12 | Sep 9, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will | |
| CVE-2024-34158 | Hig | 7.5 | < 2.2.0-r12 | 2.2.0-r12 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 2.2.0-r12 | 2.2.0-r12 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 2.2.0-r12 | 2.2.0-r12 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-39338 | — | < 2.2.0-r10 | 2.2.0-r10 | Aug 9, 2024 | axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs. | ||
| CVE-2024-41818 | — | < 2.2.0-r9 | 2.2.0-r9 | Jul 29, 2024 | fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1. | ||
| CVE-2024-5321 | Med | 6.1 | < 2.2.0-r8 | 2.2.0-r8 | Jul 18, 2024 | A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs. | |
| CVE-2024-5569 | Med | 6.2 | < 2.2.0-r7 | 2.2.0-r7 | Jul 9, 2024 | A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as | |
| CVE-2024-3651 | — | < 2.1.0-r0 | 2.1.0-r0 | Jul 7, 2024 | A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co | ||
| CVE-2024-39689 | — | < 2.2.0-r6 | 2.2.0-r6 | Jul 5, 2024 | Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro | ||
| CVE-2024-24791 | Hig | 7.5 | < 2.2.0-r5 | 2.2.0-r5 | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-37890 | Hig | 7.5 | < 2.2.0-r4 | 2.2.0-r4 | Jun 17, 2024 | ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e | |
| CVE-2024-37891 | — | < 2.2.0-r4 | 2.2.0-r4 | Jun 17, 2024 | urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it' | ||
| CVE-2024-35195 | Med | 5.6 | < 2.2.0-r2 | 2.2.0-r2 | May 20, 2024 | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes | |
| CVE-2024-3177 | Low | 2.7 | < 2.14.3-r3 | 2.14.3-r3 | Apr 22, 2024 | A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T | |
| CVE-2023-45288 | Hig | 7.5 | < 2.0.5-r7 | 2.0.5-r7 | Apr 4, 2024 | An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma | |
| CVE-2024-29041 | — | < 2.4.0-r9 | 2.4.0-r9 | Mar 25, 2024 | Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres | ||
| CVE-2024-28849 | — | < 2.0.5-r5 | 2.0.5-r5 | Mar 14, 2024 | follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which | ||
| CVE-2024-24786 | Hig | 7.5 | < 2.0.5-r5 | 2.0.5-r5 | Mar 5, 2024 | The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. | |
| CVE-2024-24785 | Med | 5.4 | < 2.0.5-r4 | 2.0.5-r4 | Mar 5, 2024 | If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. |
- affected < 2.2.0-r12fixed 2.2.0-r12
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
- affected < 2.2.0-r12fixed 2.2.0-r12
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 2.2.0-r12fixed 2.2.0-r12
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 2.2.0-r12fixed 2.2.0-r12
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-39338Aug 9, 2024affected < 2.2.0-r10fixed 2.2.0-r10
axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.
- CVE-2024-41818Jul 29, 2024affected < 2.2.0-r9fixed 2.2.0-r9
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
- affected < 2.2.0-r8fixed 2.2.0-r8
A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.
- affected < 2.2.0-r7fixed 2.2.0-r7
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as
- CVE-2024-3651Jul 7, 2024affected < 2.1.0-r0fixed 2.1.0-r0
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
- CVE-2024-39689Jul 5, 2024affected < 2.2.0-r6fixed 2.2.0-r6
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro
- affected < 2.2.0-r5fixed 2.2.0-r5
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- affected < 2.2.0-r4fixed 2.2.0-r4
ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e
- CVE-2024-37891Jun 17, 2024affected < 2.2.0-r4fixed 2.2.0-r4
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'
- affected < 2.2.0-r2fixed 2.2.0-r2
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
- affected < 2.14.3-r3fixed 2.14.3-r3
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T
- affected < 2.0.5-r7fixed 2.0.5-r7
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma
- CVE-2024-29041Mar 25, 2024affected < 2.4.0-r9fixed 2.4.0-r9
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
- CVE-2024-28849Mar 14, 2024affected < 2.0.5-r5fixed 2.0.5-r5
follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which
- affected < 2.0.5-r5fixed 2.0.5-r5
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.
- affected < 2.0.5-r4fixed 2.0.5-r4
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.
Page 3 of 5