apk package

chainguard/mitmproxy

pkg:apk/chainguard/mitmproxy

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-39892	Cri	9.8	< 12.2.2-r1	12.2.2-r1	Apr 8, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-35536	Hig	7.2	< 12.2.2-r1	12.2.2-r1	Apr 3, 2026	In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVE-2026-34073	Med	5.3	< 12.2.1-r0	12.2.1-r0	Mar 31, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently
CVE-2026-27459		—	< 12.2.3-r0	12.2.3-r0	Mar 17, 2026	pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta
CVE-2026-27448		—	< 12.2.3-r0	12.2.3-r0	Mar 17, 2026	pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying
CVE-2026-31958	Hig	7.5	< 12.2.2-r1	12.2.2-r1	Mar 11, 2026	Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre
CVE-2026-27205		—	< 12.2.2-r1	12.2.2-r1	Feb 21, 2026	Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs c
CVE-2026-26007		—	< 12.2.1-r0	12.2.1-r0	Feb 10, 2026	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
CVE-2026-0994	Hig	7.5	< 12.2.1-r0	12.2.1-r0	Jan 23, 2026	A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
CVE-2025-6176	Hig	7.5	< 12.2.1-r0	12.2.1-r0	Oct 31, 2025	Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less
CVE-2025-43859	Cri	9.1	< 12.2.1-r0	12.2.1-r0	Apr 24, 2025	h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo
CVE-2025-23217	Hig	—	< 12.2.1-r0	12.2.1-r0	Feb 6, 2025	mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to acce
CVE-2024-26130		—	< 12.2.1-r0	12.2.1-r0	Feb 21, 2024	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided
CVE-2023-50782		—	< 12.2.1-r0	12.2.1-r0	Feb 5, 2024	A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2024-0727	Med	5.5	< 12.2.1-r0	12.2.1-r0	Jan 26, 2024	Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can c
CVE-2023-49083		—	< 12.2.1-r0	12.2.1-r0	Nov 29, 2023	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious
CVE-2023-0286		—	< 12.2.1-r0	12.2.1-r0	Feb 8, 2023	There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This
CVE-2023-23931		—	< 12.2.1-r0	12.2.1-r0	Feb 7, 2023	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object

CVE-2026-39892CriApr 8, 2026
affected < 12.2.2-r1fixed 12.2.2-r1
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner
CVE-2026-35536HigApr 3, 2026
affected < 12.2.2-r1fixed 12.2.2-r1
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
CVE-2026-34073MedMar 31, 2026
affected < 12.2.1-r0fixed 12.2.1-r0
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently
CVE-2026-27459Mar 17, 2026
affected < 12.2.3-r0fixed 12.2.3-r0
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 22.0.0 and prior to version 26.0.0, if a user provided callback to `set_cookie_generate_callback` returned a cookie value greater than 256 bytes, pyOpenSSL would overflow an OpenSSL provided buffer. Sta
CVE-2026-27448Mar 17, 2026
affected < 12.2.3-r0fixed 12.2.3-r0
pyOpenSSL is a Python wrapper around the OpenSSL library. Starting in version 0.14.0 and prior to version 26.0.0, if a user provided callback to `set_tlsext_servername_callback` raised an unhandled exception, this would result in a connection being accepted. If a user was relying
CVE-2026-31958HigMar 11, 2026
affected < 12.2.2-r1fixed 12.2.2-r1
Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre
CVE-2026-27205Feb 21, 2026
affected < 12.2.2-r1fixed 12.2.2-r1
Flask is a web server gateway interface (WSGI) web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs c
CVE-2026-26007Feb 10, 2026
affected < 12.2.1-r0fixed 12.2.1-r0
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke
CVE-2026-0994HigJan 23, 2026
affected < 12.2.1-r0fixed 12.2.1-r0
A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling l
CVE-2025-6176HigOct 31, 2025
affected < 12.2.1-r0fixed 12.2.1-r0
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less
CVE-2025-43859CriApr 24, 2025
affected < 12.2.1-r0fixed 12.2.1-r0
h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo
CVE-2025-23217HigFeb 6, 2025
affected < 12.2.1-r0fixed 12.2.1-r0
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmweb 11.1.1 and below, a malicious client can use mitmweb's proxy server (bound to `*:8080` by default) to acce
CVE-2024-26130Feb 21, 2024
affected < 12.2.1-r0fixed 12.2.1-r0
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided
CVE-2023-50782Feb 5, 2024
affected < 12.2.1-r0fixed 12.2.1-r0
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
CVE-2024-0727MedJan 26, 2024
affected < 12.2.1-r0fixed 12.2.1-r0
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can c
CVE-2023-49083Nov 29, 2023
affected < 12.2.1-r0fixed 12.2.1-r0
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious
CVE-2023-0286Feb 8, 2023
affected < 12.2.1-r0fixed 12.2.1-r0
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This
CVE-2023-23931Feb 7, 2023
affected < 12.2.1-r0fixed 12.2.1-r0
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object