apk package
chainguard/nemo
pkg:apk/chainguard/nemo
Vulnerabilities (169)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-5206 | — | < 2.5.2-r2 | 2.5.2-r2 | Jun 6, 2024 | A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data wit | ||
| CVE-2024-34069 | — | < 1.23.0-r12 | 1.23.0-r12 | May 6, 2024 | Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain | ||
| CVE-2024-34064 | — | < 1.23.0-r12 | 1.23.0-r12 | May 6, 2024 | Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap | ||
| CVE-2024-34062 | Med | 4.8 | < 1.23.0-r12 | 1.23.0-r12 | May 3, 2024 | tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in relea | |
| CVE-2024-30251 | — | < 1.23.0-r12 | 1.23.0-r12 | May 2, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process | ||
| CVE-2024-27306 | — | < 1.23.0-r12 | 1.23.0-r12 | Apr 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. | ||
| CVE-2024-21503 | Med | 5.3 | < 1.23.0-r12 | 1.23.0-r12 | Mar 19, 2024 | Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of | |
| CVE-2024-27319 | — | < 1.23.0-r12 | 1.23.0-r12 | Feb 23, 2024 | Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy. | ||
| CVE-2024-27318 | — | < 1.23.0-r12 | 1.23.0-r12 | Feb 23, 2024 | Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass |
- CVE-2024-5206Jun 6, 2024affected < 2.5.2-r2fixed 2.5.2-r2
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data wit
- CVE-2024-34069May 6, 2024affected < 1.23.0-r12fixed 1.23.0-r12
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain
- CVE-2024-34064May 6, 2024affected < 1.23.0-r12fixed 1.23.0-r12
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap
- affected < 1.23.0-r12fixed 1.23.0-r12
tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in relea
- CVE-2024-30251May 2, 2024affected < 1.23.0-r12fixed 1.23.0-r12
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
- CVE-2024-27306Apr 18, 2024affected < 1.23.0-r12fixed 1.23.0-r12
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.
- affected < 1.23.0-r12fixed 1.23.0-r12
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of
- CVE-2024-27319Feb 23, 2024affected < 1.23.0-r12fixed 1.23.0-r12
Versions of the package onnx before and including 1.15.0 are vulnerable to Out-of-bounds Read as the ONNX_ASSERT and ONNX_ASSERTM functions have an off by one string copy.
- CVE-2024-27318Feb 23, 2024affected < 1.23.0-r12fixed 1.23.0-r12
Versions of the package onnx before and including 1.15.0 are vulnerable to Directory Traversal as the external_data field of the tensor proto can have a path to the file which is outside the model current directory or user-provided directory. The vulnerability occurs as a bypass
Page 9 of 9