VYPR

apk package

chainguard/kubeflow-volumes-web-app

pkg:apk/chainguard/kubeflow-volumes-web-app

Vulnerabilities (37)

  • CVE-2024-6839Mar 20, 2025
    affected < 1.10.0-r2fixed 1.10.0-r2

    corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This misma

  • CVE-2024-56326Dec 23, 2024
    affected < 1.9.2-r3fixed 1.9.2-r3

    Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t

  • CVE-2024-56201Dec 23, 2024
    affected < 1.9.2-r3fixed 1.9.2-r3

    Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit

  • CVE-2024-49767Oct 25, 2024
    affected < 1.9.2-r1fixed 1.9.2-r1

    Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively

  • CVE-2024-49766Oct 25, 2024
    affected < 1.9.2-r1fixed 1.9.2-r1

    Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended

  • CVE-2024-6221Aug 18, 2024
    affected < 1.9.1-r0fixed 1.9.1-r0

    A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as da

  • CVE-2024-3651Jul 7, 2024
    affected < 1.8.0-r6fixed 1.8.0-r6

    A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co

  • CVE-2024-39689Jul 5, 2024
    affected < 1.8.0-r8fixed 1.8.0-r8

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-37891Jun 17, 2024
    affected < 1.8.0-r7fixed 1.8.0-r7

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-35195MedMay 20, 2024
    affected < 1.8.0-r6fixed 1.8.0-r6

    Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes

  • CVE-2024-34069May 6, 2024
    affected < 1.8.0-r6fixed 1.8.0-r6

    Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain

  • CVE-2024-34064May 6, 2024
    affected < 1.8.0-r6fixed 1.8.0-r6

    Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap

  • CVE-2024-1681Apr 19, 2024
    affected < 1.8.0-r6fixed 1.8.0-r6

    corydolphin/flask-cors is vulnerable to log injection when the log level is set to debug. An attacker can inject fake log entries into the log file by sending a specially crafted GET request containing a CRLF sequence in the request path. This vulnerability allows attackers to co

  • CVE-2023-46136HigOct 25, 2023
    affected < 1.7.0-r8fixed 1.7.0-r8

    Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are

  • CVE-2023-45803Oct 17, 2023
    affected < 1.7.0-r8fixed 1.7.0-r8

    urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE

  • CVE-2023-43804Oct 4, 2023
    affected < 1.7.0-r6fixed 1.7.0-r6

    urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unk

  • CVE-2023-41419Sep 25, 2023
    affected < 1.7.0-r5fixed 1.7.0-r5

    An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

Page 2 of 2