VYPR

apk package

chainguard/py3-cassandra-medusa

pkg:apk/chainguard/py3-cassandra-medusa

Vulnerabilities (72)

  • CVE-2025-69224Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u

  • CVE-2025-69223Jan 5, 2026
    affected < 0.26.0-r3fixed 0.26.0-r3

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust

  • CVE-2025-68146Dec 16, 2025
    affected < 0.26.0-r2fixed 0.26.0-r2

    filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows

  • CVE-2025-66471Dec 5, 2025
    affected < 0.28.0-r1fixed 0.28.0-r1

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu

  • CVE-2025-66418Dec 5, 2025
    affected < 0.28.0-r1fixed 0.28.0-r1

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a

  • CVE-2025-8869MedSep 24, 2025
    affected < 0.29.0-r4fixed 0.29.0-r4

    When extracting a tar archive pip may not check symbolic links point into the extraction directory if the tarfile module doesn't implement PEP 706. Note that upgrading pip to a "fixed" version for this vulnerability doesn't fix all known vulnerabilities that are remediated by usi

  • CVE-2025-53643Jul 14, 2025
    affected < 0.24.1-r1fixed 0.24.1-r1

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed

  • CVE-2025-50182Jun 19, 2025
    affected < 0.26.0-r0fixed 0.26.0-r0

    urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque

  • CVE-2025-50181Jun 19, 2025
    affected < 0.28.0-r1fixed 0.28.0-r1

    urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl

  • CVE-2024-47081MedJun 9, 2025
    affected < 0.27.1-r1fixed 0.27.1-r1

    Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc

  • CVE-2025-47273May 17, 2025
    affected < 0fixed 0

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2024-12797MedFeb 11, 2025
    affected < 0.23.0-r2fixed 0.23.0-r2

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2024-53899Nov 24, 2024
    affected < 0.23.0-r0fixed 0.23.0-r0

    virtualenv before 20.26.6 allows command injection through the activation scripts for a virtual environment. Magic template strings are not quoted correctly when replacing. NOTE: this is not the same as CVE-2024-9287.

  • CVE-2024-52304Nov 18, 2024
    affected < 0.22.3-r1fixed 0.22.3-r1

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai

  • CVE-2024-42367Aug 9, 2024
    affected < 0.22.3-r1fixed 0.22.3-r1

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director

  • CVE-2024-6345HigJul 15, 2024
    affected < 0.23.0-r30fixed 0.23.0-r30

    A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti

  • CVE-2024-3651Jul 7, 2024
    affected < 0.23.0-r30fixed 0.23.0-r30

    A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co

  • CVE-2024-39689Jul 5, 2024
    affected < 0.23.0-r30fixed 0.23.0-r30

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-37891Jun 17, 2024
    affected < 0.23.0-r30fixed 0.23.0-r30

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-35255Jun 11, 2024
    affected < 0.21.0-r3fixed 0.21.0-r3

    Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability