VYPR

apk package

wolfi/kubeflow-pipelines-frontend

pkg:apk/wolfi/kubeflow-pipelines-frontend

Vulnerabilities (135)

  • CVE-2024-41818Jul 29, 2024
    affected < 2.2.0-r9fixed 2.2.0-r9

    fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.

  • CVE-2024-5321MedJul 18, 2024
    affected < 2.2.0-r8fixed 2.2.0-r8

    A security issue was discovered in Kubernetes clusters with Windows nodes where BUILTIN\Users may be able to read container logs and NT AUTHORITY\Authenticated Users may be able to modify container logs.

  • CVE-2024-5569MedJul 9, 2024
    affected < 2.2.0-r7fixed 2.2.0-r7

    A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as

  • CVE-2024-3651Jul 7, 2024
    affected < 2.1.0-r0fixed 2.1.0-r0

    A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co

  • CVE-2024-39689Jul 5, 2024
    affected < 2.2.0-r6fixed 2.2.0-r6

    Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro

  • CVE-2024-24791HigJul 2, 2024
    affected < 2.2.0-r5fixed 2.2.0-r5

    The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co

  • CVE-2024-37890HigJun 17, 2024
    affected < 2.2.0-r4fixed 2.2.0-r4

    ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e

  • CVE-2024-37891Jun 17, 2024
    affected < 2.2.0-r4fixed 2.2.0-r4

    urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'

  • CVE-2024-35195MedMay 20, 2024
    affected < 2.2.0-r2fixed 2.2.0-r2

    Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes

  • CVE-2024-4068May 13, 2024
    affected < 2.15.0-r1fixed 2.15.0-r1

    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program

  • CVE-2024-4067May 13, 2024
    affected < 2.15.0-r1fixed 2.15.0-r1

    The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w

  • CVE-2024-3177LowApr 22, 2024
    affected < 2.14.3-r3fixed 2.14.3-r3

    A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated. T

  • CVE-2023-45288HigApr 4, 2024
    affected < 2.0.5-r7fixed 2.0.5-r7

    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed Ma

  • CVE-2024-29041Mar 25, 2024
    affected < 2.4.0-r9fixed 2.4.0-r9

    Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres

  • CVE-2024-28849Mar 14, 2024
    affected < 2.0.5-r5fixed 2.0.5-r5

    follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which

  • CVE-2024-24786HigMar 5, 2024
    affected < 2.0.5-r5fixed 2.0.5-r5

    The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.

  • CVE-2024-24785MedMar 5, 2024
    affected < 2.0.5-r4fixed 2.0.5-r4

    If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates.

  • CVE-2024-24784HigMar 5, 2024
    affected < 2.0.5-r4fixed 2.0.5-r4

    The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

  • CVE-2024-24783MedMar 5, 2024
    affected < 2.0.5-r4fixed 2.0.5-r4

    Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The defaul

  • CVE-2023-45290MedMar 5, 2024
    affected < 2.0.5-r4fixed 2.0.5-r4

    When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line

Page 5 of 7