apk package
wolfi/kserve-qpext
pkg:apk/wolfi/kserve-qpext
Vulnerabilities (46)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-34156 | Hig | 7.5 | < 0.13.1-r5 | 0.13.1-r5 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 0.13.1-r5 | 0.13.1-r5 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-42367 | — | < 0.13.1-r3 | 0.13.1-r3 | Aug 9, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director | ||
| CVE-2024-3651 | — | < 0.13.1-r3 | 0.13.1-r3 | Jul 7, 2024 | A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co | ||
| CVE-2024-30251 | — | < 0.13.1-r3 | 0.13.1-r3 | May 2, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process | ||
| CVE-2024-27306 | — | < 0.13.1-r3 | 0.13.1-r3 | Apr 18, 2024 | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files. |
- affected < 0.13.1-r5fixed 0.13.1-r5
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 0.13.1-r5fixed 0.13.1-r5
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-42367Aug 9, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root director
- CVE-2024-3651Jul 7, 2024affected < 0.13.1-r3fixed 0.13.1-r3
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
- CVE-2024-30251May 2, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In affected versions an attacker can send a specially crafted POST (multipart/form-data) request. When the aiohttp server processes it, the server will enter an infinite loop and be unable to process
- CVE-2024-27306Apr 18, 2024affected < 0.13.1-r3fixed 0.13.1-r3
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. A XSS vulnerability exists on index pages for static file handling. This vulnerability is fixed in 3.9.4. We have always recommended using a reverse proxy server (e.g. nginx) for serving static files.
Page 3 of 3