apk package
wolfi/kubeflow-pipelines-metadata-writer-compat
pkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compat
Vulnerabilities (100)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-32997 | — | < 2.14.3-r3 | 2.14.3-r3 | Apr 15, 2025 | In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed. | ||
| CVE-2025-32996 | — | < 2.14.3-r3 | 2.14.3-r3 | Apr 15, 2025 | In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used. | ||
| CVE-2025-29786 | Hig | 7.5 | < 2.4.0-r9 | 2.4.0-r9 | Mar 17, 2025 | Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression | |
| CVE-2025-22870 | Med | 4.4 | < 2.4.0-r8 | 2.4.0-r8 | Mar 12, 2025 | Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. | |
| CVE-2025-27152 | — | < 2.4.0-r5 | 2.4.0-r5 | Mar 7, 2025 | axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka | ||
| CVE-2025-22868 | — | < 2.4.0-r6 | 2.4.0-r6 | Feb 26, 2025 | An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. | ||
| CVE-2025-22869 | — | < 2.4.0-r5 | 2.4.0-r5 | Feb 26, 2025 | SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. | ||
| CVE-2025-1302 | Cri | 9.8 | < 2.14.3-r3 | 2.14.3-r3 | Feb 15, 2025 | Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an | |
| CVE-2024-12797 | Med | 6.3 | < 2.4.0-r4 | 2.4.0-r4 | Feb 11, 2025 | Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u | |
| CVE-2025-22866 | Med | 4.0 | < 2.4.0-r3 | 2.4.0-r3 | Feb 6, 2025 | Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover | |
| CVE-2024-45339 | Hig | 7.1 | < 2.4.0-r2 | 2.4.0-r2 | Jan 28, 2025 | When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and | |
| CVE-2024-45338 | Med | 5.3 | < 2.3.0-r5 | 2.3.0-r5 | Dec 18, 2024 | An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. | |
| CVE-2024-45337 | Cri | 9.1 | < 2.3.0-r4 | 2.3.0-r4 | Dec 12, 2024 | Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that | |
| CVE-2024-52798 | Hig | — | < 2.3.0-r3 | 2.3.0-r3 | Dec 5, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path | |
| CVE-2024-10220 | Hig | 8.1 | < 2.3.0-r3 | 2.3.0-r3 | Nov 22, 2024 | The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2. | |
| CVE-2024-21536 | — | < 2.14.3-r3 | 2.14.3-r3 | Oct 19, 2024 | Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to | ||
| CVE-2024-21534 | Cri | 9.8 | < 2.14.3-r3 | 2.14.3-r3 | Oct 11, 2024 | All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i | |
| CVE-2024-47764 | Med | — | < 2.4.0-r9 | 2.4.0-r9 | Oct 4, 2024 | cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo | |
| CVE-2024-45590 | — | < 2.2.0-r12 | 2.2.0-r12 | Sep 10, 2024 | body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is | ||
| CVE-2024-43800 | — | < 2.2.0-r12 | 2.2.0-r12 | Sep 10, 2024 | serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. |
- CVE-2025-32997Apr 15, 2025affected < 2.14.3-r3fixed 2.14.3-r3
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
- CVE-2025-32996Apr 15, 2025affected < 2.14.3-r3fixed 2.14.3-r3
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
- affected < 2.4.0-r9fixed 2.4.0-r9
Expr is an expression language and expression evaluation for Go. Prior to version 1.17.0, if the Expr expression parser is given an unbounded input string, it will attempt to compile the entire string and generate an Abstract Syntax Tree (AST) node for each part of the expression
- affected < 2.4.0-r8fixed 2.4.0-r8
Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
- CVE-2025-27152Mar 7, 2025affected < 2.4.0-r5fixed 2.4.0-r5
axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka
- CVE-2025-22868Feb 26, 2025affected < 2.4.0-r6fixed 2.4.0-r6
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
- CVE-2025-22869Feb 26, 2025affected < 2.4.0-r5fixed 2.4.0-r5
SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
- affected < 2.14.3-r3fixed 2.14.3-r3
Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. **Note:** This is caused by an
- affected < 2.4.0-r4fixed 2.4.0-r4
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections u
- affected < 2.4.0-r3fixed 2.4.0-r3
Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recover
- affected < 2.4.0-r2fixed 2.4.0-r2
When logs are written to a widely-writable directory (the default), an unprivileged attacker may predict a privileged process's log file path and pre-create a symbolic link to a sensitive file in its place. When that privileged process runs, it will follow the planted symlink and
- affected < 2.3.0-r5fixed 2.3.0-r5
An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.
- affected < 2.3.0-r4fixed 2.3.0-r4
Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that
- affected < 2.3.0-r3fixed 2.3.0-r3
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path
- affected < 2.3.0-r3fixed 2.3.0-r3
The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.
- CVE-2024-21536Oct 19, 2024affected < 2.14.3-r3fixed 2.14.3-r3
Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to
- affected < 2.14.3-r3fixed 2.14.3-r3
All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix i
- affected < 2.4.0-r9fixed 2.4.0-r9
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
- CVE-2024-45590Sep 10, 2024affected < 2.2.0-r12fixed 2.2.0-r12
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is
- CVE-2024-43800Sep 10, 2024affected < 2.2.0-r12fixed 2.2.0-r12
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
Page 2 of 5