VYPR

apk package

wolfi/checkov

pkg:apk/wolfi/checkov

Vulnerabilities (46)

  • CVE-2025-69225Jan 5, 2026
    affected < 3.2.499-r0fixed 3.2.499-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploi

  • CVE-2025-69226Jan 5, 2026
    affected < 3.2.499-r0fixed 3.2.499-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an applica

  • CVE-2025-69224Jan 5, 2026
    affected < 3.2.499-r0fixed 3.2.499-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the u

  • CVE-2025-69223Jan 5, 2026
    affected < 3.2.499-r0fixed 3.2.499-r0

    AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust

  • CVE-2025-47273May 17, 2025
    affected < 3.2.432-r0fixed 3.2.432-r0

    setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on

  • CVE-2025-43859CriApr 24, 2025
    affected < 3.2.432-r0fixed 3.2.432-r0

    h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since explo

  • CVE-2025-27516Mar 5, 2025
    affected < 3.2.432-r0fixed 3.2.432-r0

    Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker nee

  • CVE-2024-56326Dec 23, 2024
    affected < 3.2.432-r0fixed 3.2.432-r0

    Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t

  • CVE-2024-56201Dec 23, 2024
    affected < 3.2.432-r0fixed 3.2.432-r0

    Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit

  • CVE-2024-52304Nov 18, 2024
    affected < 3.2.432-r0fixed 3.2.432-r0

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.10.11, the Python parser parses newlines in chunk extensions incorrectly which can lead to request smuggling vulnerabilities under certain conditions. If a pure Python version of ai

  • CVE-2024-52303Nov 18, 2024
    affected < 3.2.432-r0fixed 3.2.432-r0

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions starting with 3.10.6 and prior to 3.10.11, a memory leak can occur when a request produces a MatchInfoError. This was caused by adding an entry to a cache on each request, due to the build

  • CVE-2024-42367Aug 9, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director

  • CVE-2024-6345HigJul 15, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti

  • CVE-2024-5569MedJul 9, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as

  • CVE-2024-3651Jul 7, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co

  • CVE-2024-39689Jul 5, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-37891Jun 17, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-35195MedMay 20, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes

  • CVE-2024-34064May 6, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap

  • CVE-2024-34062MedMay 3, 2024
    affected < 3.0.34-r1fixed 3.0.34-r1

    tqdm is an open source progress bar for Python and CLI. Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. This issue is only locally exploitable and had been addressed in relea