apk package

chainguard/py3-cassandra-medusa-compat

pkg:apk/chainguard/py3-cassandra-medusa-compat

Vulnerabilities (34)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-69230		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
CVE-2025-69229		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
CVE-2025-69228		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
CVE-2025-69227		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
CVE-2025-69225		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
CVE-2025-69226		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
CVE-2025-69224		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
CVE-2025-69223		—	< 0.26.0-r3	0.26.0-r3	Jan 5, 2026	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
CVE-2025-68146		—	< 0.26.0-r2	0.26.0-r2	Dec 16, 2025	filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-53643		—	< 0.24.1-r1	0.24.1-r1	Jul 14, 2025	AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
CVE-2025-50182		—	< 0.26.0-r0	0.26.0-r0	Jun 19, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2024-47081	Med	5.3	< 0	0	Jun 9, 2025	Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-47273		—	< 0	0	May 17, 2025	setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on
CVE-2024-12797	Med	6.3	< 0.23.0-r2	0.23.0-r2	Feb 11, 2025	Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u
CVE-2024-53899		—	< 0.23.0-r0	0.23.0-r0	Nov 24, 2024	virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2024-52304		—	< 0.22.3-r1	0.22.3-r1	Nov 18, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
CVE-2024-42367		—	< 0.22.3-r1	0.22.3-r1	Aug 9, 2024	aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
CVE-2024-6345	Hig	8.8	< 0.23.0-r30	0.23.0-r30	Jul 15, 2024	A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti
CVE-2024-3651		—	< 0.23.0-r30	0.23.0-r30	Jul 7, 2024	A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-39689		—	< 0.23.0-r30	0.23.0-r30	Jul 5, 2024	Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

CVE-2025-69230Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of w
CVE-2025-69229Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method
CVE-2025-69228Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Requ
CVE-2025-69227Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTI
CVE-2025-69225Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi
CVE-2025-69226Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica
CVE-2025-69224Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u
CVE-2025-69223Jan 5, 2026
affected < 0.26.0-r3fixed 0.26.0-r3
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust
CVE-2025-68146Dec 16, 2025
affected < 0.26.0-r2fixed 0.26.0-r2
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-53643Jul 14, 2025
affected < 0.24.1-r1fixed 0.24.1-r1
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed
CVE-2025-50182Jun 19, 2025
affected < 0.26.0-r0fixed 0.26.0-r0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2024-47081MedJun 9, 2025
affected < 0fixed 0
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-47273May 17, 2025
affected < 0fixed 0
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on
CVE-2024-12797MedFeb 11, 2025
affected < 0.23.0-r2fixed 0.23.0-r2
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u
CVE-2024-53899Nov 24, 2024
affected < 0.23.0-r0fixed 0.23.0-r0
virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.
CVE-2024-52304Nov 18, 2024
affected < 0.22.3-r1fixed 0.22.3-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai
CVE-2024-42367Aug 9, 2024
affected < 0.22.3-r1fixed 0.22.3-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
CVE-2024-6345HigJul 15, 2024
affected < 0.23.0-r30fixed 0.23.0-r30
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti
CVE-2024-3651Jul 7, 2024
affected < 0.23.0-r30fixed 0.23.0-r30
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-39689Jul 5, 2024
affected < 0.23.0-r30fixed 0.23.0-r30
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

Page 1 of 2