VYPR

apk package

wolfi/kubeflow-pipelines-frontend

pkg:apk/wolfi/kubeflow-pipelines-frontend

Vulnerabilities (135)

  • CVE-2025-1302CriFeb 15, 2025
    affected < 2.15.0-r1fixed 2.15.0-r1

    Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an

  • CVE-2024-12797MedFeb 11, 2025
    affected < 2.4.0-r4fixed 2.4.0-r4

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u

  • CVE-2025-22866MedFeb 6, 2025
    affected < 2.4.0-r3fixed 2.4.0-r3

    Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover

  • CVE-2024-45339HigJan 28, 2025
    affected < 2.4.0-r2fixed 2.4.0-r2

    When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and

  • CVE-2024-45338MedDec 18, 2024
    affected < 2.3.0-r5fixed 2.3.0-r5

    An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

  • CVE-2024-45337CriDec 12, 2024
    affected < 2.3.0-r4fixed 2.3.0-r4

    Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that

  • CVE-2024-52798HigDec 5, 2024
    affected < 2.3.0-r3fixed 2.3.0-r3

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path

  • CVE-2024-10220HigNov 22, 2024
    affected < 2.3.0-r3fixed 2.3.0-r3

    The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

  • CVE-2024-21536Oct 19, 2024
    affected < 2.15.0-r1fixed 2.15.0-r1

    Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to

  • CVE-2024-21534CriOct 11, 2024
    affected < 2.15.0-r1fixed 2.15.0-r1

    All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i

  • CVE-2024-47764MedOct 4, 2024
    affected < 2.4.0-r9fixed 2.4.0-r9

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-45590Sep 10, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is

  • CVE-2024-43800Sep 10, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.

  • CVE-2024-43799Sep 10, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

  • CVE-2024-43796Sep 10, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.

  • CVE-2024-45296HigSep 9, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will

  • CVE-2024-34158HigSep 6, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

  • CVE-2024-34156HigSep 6, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

  • CVE-2024-34155MedSep 6, 2024
    affected < 2.2.0-r12fixed 2.2.0-r12

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

  • CVE-2024-39338Aug 9, 2024
    affected < 2.2.0-r10fixed 2.2.0-r10

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

Page 4 of 7