apk package

wolfi/airflow-3-iamguarded-compat

pkg:apk/wolfi/airflow-3-iamguarded-compat

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-69277	Med	4.5	< 3.1.5-r1	3.1.5-r1	Dec 31, 2025	libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
CVE-2025-68480	Med	5.3	< 3.1.5-r1	3.1.5-r1	Dec 22, 2025	Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request
CVE-2025-68146		—	< 3.1.5-r0	3.1.5-r0	Dec 16, 2025	filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-66471		—	< 3.1.4-r0	3.1.4-r0	Dec 5, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
CVE-2025-66418		—	< 3.1.4-r0	3.1.4-r0	Dec 5, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
CVE-2025-66221		—	< 3.1.3-r0	3.1.3-r0	Nov 29, 2025	Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc
CVE-2025-62611	Hig	—	< 3.1.0-r3	3.1.0-r3	Oct 22, 2025	aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to creat
CVE-2025-57804	Med	—	< 3.0.6-r0	3.0.6-r0	Aug 25, 2025	h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to
CVE-2025-54121	Med	5.3	< 3.0.3-r3	3.0.3-r3	Jul 21, 2025	Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl
CVE-2025-50213		—	< 3.1.2-r0	3.1.2-r0	Jun 24, 2025	Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExter
CVE-2025-50182		—	< 3.0.2-r2	3.0.2-r2	Jun 19, 2025	urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2025-50181		—	< 3.0.2-r2	3.0.2-r2	Jun 19, 2025	urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
CVE-2024-47081	Med	5.3	< 3.0.1-r1	3.0.1-r1	Jun 9, 2025	Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-5279	Hig	—	< 3.0.1-r1	3.0.1-r1	May 27, 2025	When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r
CVE-2025-32962		—	< 3.0.1-r1	3.0.1-r1	May 16, 2025	Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_
CVE-2025-47287		—	< 3.0.1-r1	3.0.1-r1	May 15, 2025	Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
CVE-2025-47278	Low	—	< 3.0.1-r1	3.0.1-r1	May 13, 2025	Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` librar
CVE-2023-48022		—	< 0	0	Nov 28, 2023	Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network

CVE-2025-69277MedDec 31, 2025
affected < 3.1.5-r1fixed 3.1.5-r1
libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic g
CVE-2025-68480MedDec 22, 2025
affected < 3.1.5-r1fixed 3.1.5-r1
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request
CVE-2025-68146Dec 16, 2025
affected < 3.1.5-r0fixed 3.1.5-r0
filelock is a platform-independent file lock for Python. In versions prior to 3.20.1, a Time-of-Check-Time-of-Use (TOCTOU) race condition allows local attackers to corrupt or truncate arbitrary user files through symlink attacks. The vulnerability exists in both Unix and Windows
CVE-2025-66471Dec 5, 2025
affected < 3.1.4-r0fixed 3.1.4-r0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly compressed data. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chu
CVE-2025-66418Dec 5, 2025
affected < 3.1.4-r0fixed 3.1.4-r0
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage a
CVE-2025-66221Nov 29, 2025
affected < 3.1.3-r0fixed 3.1.3-r0
Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safe_join function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every direc
CVE-2025-62611HigOct 22, 2025
affected < 3.1.0-r3fixed 3.1.0-r3
aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to creat
CVE-2025-57804MedAug 25, 2025
affected < 3.0.6-r0fixed 3.0.6-r0
h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to
CVE-2025-54121MedJul 21, 2025
affected < 3.0.3-r3fixed 3.0.3-r3
Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will bl
CVE-2025-50213Jun 24, 2025
affected < 3.1.2-r0fixed 3.1.2-r0
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExter
CVE-2025-50182Jun 19, 2025
affected < 3.0.2-r2fixed 3.0.2-r2
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpReque
CVE-2025-50181Jun 19, 2025
affected < 3.0.2-r2fixed 3.0.2-r2
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An appl
CVE-2024-47081MedJun 9, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc
CVE-2025-5279HigMay 27, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certificate validation step for the Identity Provider. An insecure connection could allow an actor to intercept the token exchange process and r
CVE-2025-32962May 16, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Flask-AppBuilder is an application development framework built on top of Flask. Versions prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests. Flask-AppBuilder 4.6.2 introduced the `FAB_SAFE_
CVE-2025-47287May 15, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo
CVE-2025-47278LowMay 13, 2025
affected < 3.0.1-r1fixed 3.0.1-r1
Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used for signing, rather than the current signing key. Signing is provided by the `itsdangerous` librar
CVE-2023-48022Nov 28, 2023
affected < 0fixed 0
Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network