apk package
chainguard/py3-cassandra-medusa
pkg:apk/chainguard/py3-cassandra-medusa
Vulnerabilities (72)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-35195 | Med | 5.6 | < 0.23.0-r30 | 0.23.0-r30 | May 20, 2024 | Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes | |
| CVE-2024-27306 | — | < 0.20.1-r0 | 0.20.1-r0 | Apr 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. | ||
| CVE-2024-26130 | — | < 0.19.1-r1 | 0.19.1-r1 | Feb 21, 2024 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided | ||
| CVE-2023-50782 | — | < 0.17.2-r1 | 0.17.2-r1 | Feb 5, 2024 | A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. | ||
| CVE-2024-23334 | — | < 0.17.2-r1 | 0.17.2-r1 | Jan 29, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether | ||
| CVE-2024-23829 | — | < 0.17.2-r1 | 0.17.2-r1 | Jan 29, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to pr | ||
| CVE-2024-0727 | Med | 5.5 | < 0.17.2-r1 | 0.17.2-r1 | Jan 26, 2024 | Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can c | |
| CVE-2023-49081 | — | < 0.19.1-r1 | 0.19.1-r1 | Nov 30, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability | ||
| CVE-2023-49082 | — | < 0.19.1-r1 | 0.19.1-r1 | Nov 29, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerabilit | ||
| CVE-2023-49083 | — | < 0.19.1-r1 | 0.19.1-r1 | Nov 29, 2023 | cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious | ||
| CVE-2023-47627 | — | < 0.19.1-r1 | 0.19.1-r1 | Nov 14, 2023 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt whe | ||
| CVE-2023-45803 | — | < 0.23.0-r0 | 0.23.0-r0 | Oct 17, 2023 | urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE |
- affected < 0.23.0-r30fixed 0.23.0-r30
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
- CVE-2024-27306Apr 18, 2024affected < 0.20.1-r0fixed 0.20.1-r0
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.
- CVE-2024-26130Feb 21, 2024affected < 0.19.1-r1fixed 0.19.1-r1
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided
- CVE-2023-50782Feb 5, 2024affected < 0.17.2-r1fixed 0.17.2-r1
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
- CVE-2024-23334Jan 29, 2024affected < 0.17.2-r1fixed 0.17.2-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessary to specify the root path for static files. Additionally, the option 'follow_symlinks' can be used to determine whether
- CVE-2024-23829Jan 29, 2024affected < 0.17.2-r1fixed 0.17.2-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error handling to robustly match frame boundaries of proxies in order to pr
- affected < 0.17.2-r1fixed 0.17.2-r1
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can c
- CVE-2023-49081Nov 30, 2023affected < 0.19.1-r1fixed 0.19.1-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability
- CVE-2023-49082Nov 29, 2023affected < 0.19.1-r1fixed 0.19.1-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerabilit
- CVE-2023-49083Nov 29, 2023affected < 0.19.1-r1fixed 0.19.1-r1
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious
- CVE-2023-47627Nov 14, 2023affected < 0.19.1-r1fixed 0.19.1-r1
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt whe
- CVE-2023-45803Oct 17, 2023affected < 0.23.0-r0fixed 0.23.0-r0
urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like `POST`) to `GE
Page 4 of 4