apk package

wolfi/kubeflow-pipelines-visualization-server

pkg:apk/wolfi/kubeflow-pipelines-visualization-server

Vulnerabilities (93)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-55459		—	< 2.3.0-r5	2.3.0-r5	Jan 8, 2025	An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.
CVE-2024-56326		—	< 2.4.0-r0	2.4.0-r0	Dec 23, 2024	Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t
CVE-2024-56201		—	< 2.14.3-r2	2.14.3-r2	Dec 23, 2024	Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit
CVE-2024-52338		—	< 2.15.0-r0	2.15.0-r0	Nov 28, 2024	Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-suppli
CVE-2024-52804		—	< 2.3.0-r4	2.3.0-r4	Nov 22, 2024	Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par
CVE-2024-49767		—	< 2.4.0-r0	2.4.0-r0	Oct 25, 2024	Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively
CVE-2024-49766		—	< 2.4.0-r0	2.4.0-r0	Oct 25, 2024	Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended
CVE-2024-3651		—	< 2.2.0-r0	2.2.0-r0	Jul 7, 2024	A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-39689		—	< 2.3.0-r1	2.3.0-r1	Jul 5, 2024	Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro
CVE-2024-28397	Med	5.3	< 2.4.0-r0	2.4.0-r0	Jun 20, 2024	An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
CVE-2024-37891		—	< 2.3.0-r1	2.3.0-r1	Jun 17, 2024	urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests without using urllib3's proxy support, it'
CVE-2024-5206		—	< 2.3.0-r1	2.3.0-r1	Jun 6, 2024	A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data wit
CVE-2024-35178		—	< 2.4.0-r0	2.4.0-r0	Jun 6, 2024	The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access
CVE-2024-5629		—	< 2.2.0-r0	2.2.0-r0	Jun 5, 2024	An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
CVE-2024-35195	Med	5.6	< 2.3.0-r0	2.3.0-r0	May 20, 2024	Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
CVE-2024-34069		—	< 2.4.0-r0	2.4.0-r0	May 6, 2024	Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain
CVE-2024-34064		—	< 2.4.0-r0	2.4.0-r0	May 6, 2024	Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap
CVE-2024-4340	Hig	7.5	< 2.2.0-r0	2.2.0-r0	Apr 30, 2024	Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
CVE-2023-29483		—	< 2.2.0-r0	2.2.0-r0	Apr 11, 2024	eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred
CVE-2024-28219		—	< 2.2.0-r0	2.2.0-r0	Apr 3, 2024	In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

CVE-2024-55459Jan 8, 2025
affected < 2.3.0-r5fixed 2.3.0-r5
An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.
CVE-2024-56326Dec 23, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs t
CVE-2024-56201Dec 23, 2024
affected < 2.14.3-r2fixed 2.14.3-r2
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit
CVE-2024-52338Nov 28, 2024
affected < 2.15.0-r0fixed 2.15.0-r0
Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example, user-suppli
CVE-2024-52804Nov 22, 2024
affected < 2.3.0-r4fixed 2.3.0-r4
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par
CVE-2024-49767Oct 25, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively
CVE-2024-49766Oct 25, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended
CVE-2024-3651Jul 7, 2024
affected < 2.2.0-r0fixed 2.2.0-r0
A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service co
CVE-2024-39689Jul 5, 2024
affected < 2.3.0-r1fixed 2.3.0-r1
Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi starting in 2021.5.30 and prior to 2024.7.4 recognized root certificates from `GLOBALTRUST`. Certifi 2024.7.04 removes ro
CVE-2024-28397MedJun 20, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
CVE-2024-37891Jun 17, 2024
affected < 2.3.0-r1fixed 2.3.0-r1
urllib3 is a user-friendly HTTP client library for Python. When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3's proxy support, it'
CVE-2024-5206Jun 6, 2024
affected < 2.3.0-r1fixed 2.3.0-r1
A sensitive data leakage vulnerability was identified in scikit-learn's TfidfVectorizer, specifically in versions up to and including 1.4.1.post1, which was fixed in version 1.5.0. The vulnerability arises from the unexpected storage of all tokens present in the training data wit
CVE-2024-35178Jun 6, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access
CVE-2024-5629Jun 5, 2024
affected < 2.2.0-r0fixed 2.2.0-r0
An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier allows deserialization of malformed BSON provided by a Server to raise an exception which may contain arbitrary application memory.
CVE-2024-35195MedMay 20, 2024
affected < 2.3.0-r0fixed 2.3.0-r0
Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests `Session`, if the first request is made with `verify=False` to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes
CVE-2024-34069May 6, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a comprehensive WSGI web application library. The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain
CVE-2024-34064May 6, 2024
affected < 2.4.0-r0fixed 2.4.0-r0
Jinja is an extensible templating engine. The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted as starting a separate attribute. If an ap
CVE-2024-4340HigApr 30, 2024
affected < 2.2.0-r0fixed 2.2.0-r0
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
CVE-2023-29483Apr 11, 2024
affected < 2.2.0-r0fixed 2.2.0-r0
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred
CVE-2024-28219Apr 3, 2024
affected < 2.2.0-r0fixed 2.2.0-r0
In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.

Page 4 of 5