apk package
wolfi/kubeflow-pipelines-visualization-server
pkg:apk/wolfi/kubeflow-pipelines-visualization-server
Vulnerabilities (93)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-27454 | — | < 2.2.0-r0 | 2.2.0-r0 | Feb 26, 2024 | orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents. | ||
| CVE-2023-50447 | — | < 2.4.1-r2 | 2.4.1-r2 | Jan 19, 2024 | Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter). | ||
| CVE-2024-22195 | — | < 2.4.0-r0 | 2.4.0-r0 | Jan 11, 2024 | Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` f | ||
| CVE-2023-49080 | — | < 2.4.0-r0 | 2.4.0-r0 | Dec 4, 2023 | The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can includ | ||
| CVE-2023-47248 | — | < 0 | 0 | Nov 9, 2023 | Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vul | ||
| CVE-2023-46136 | Hig | 8.0 | < 2.4.0-r0 | 2.4.0-r0 | Oct 25, 2023 | Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are | |
| CVE-2023-39968 | — | < 2.4.0-r0 | 2.4.0-r0 | Aug 28, 2023 | jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter | ||
| CVE-2023-40170 | — | < 2.4.0-r0 | 2.4.0-r0 | Aug 28, 2023 | jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit | ||
| CVE-2023-25577 | — | < 2.4.0-r0 | 2.4.0-r0 | Feb 14, 2023 | Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory | ||
| CVE-2023-23934 | — | < 2.4.0-r0 | 2.4.0-r0 | Feb 14, 2023 | Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad | ||
| CVE-2021-32862 | — | < 2.4.0-r0 | 2.4.0-r0 | Aug 18, 2022 | The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vul | ||
| CVE-2022-29241 | — | < 2.4.0-r0 | 2.4.0-r0 | Jun 14, 2022 | Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the | ||
| CVE-2022-21699 | — | < 2.4.0-r0 | 2.4.0-r0 | Jan 19, 2022 | IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cros |
- CVE-2024-27454Feb 26, 2024affected < 2.2.0-r0fixed 2.2.0-r0
orjson.loads in orjson before 3.9.15 does not limit recursion for deeply nested JSON documents.
- CVE-2023-50447Jan 19, 2024affected < 2.4.1-r2fixed 2.4.1-r2
Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).
- CVE-2024-22195Jan 11, 2024affected < 2.4.0-r0fixed 2.4.0-r0
Jinja is an extensible templating engine. Special placeholders in the template allow writing code similar to Python syntax. It is possible to inject arbitrary HTML attributes into the rendered HTML template, potentially leading to Cross-Site Scripting (XSS). The Jinja `xmlattr` f
- CVE-2023-49080Dec 4, 2023affected < 2.4.0-r0fixed 2.4.0-r0
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter notebook, JupyterLab, and Voila. Unhandled errors in API requests coming from an authenticated user include traceback information, which can includ
- CVE-2023-47248Nov 9, 2023affected < 0fixed 0
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources (for example user-supplied input files). This vul
- affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a comprehensive WSGI web application library. In versions on the 3.x branch prior to 3.0.1 and on the 2.x branch prior to 2.3.8, if an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are
- CVE-2023-39968Aug 28, 2023affected < 2.4.0-r0fixed 2.4.0-r0
jupyter-server is the backend for Jupyter web applications. Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter
- CVE-2023-40170Aug 28, 2023affected < 2.4.0-r0fixed 2.4.0-r0
jupyter-server is the backend for Jupyter web applications. Improper cross-site credential checks on `/files/` URLs could allow exposure of certain file contents, or accessing files when opening untrusted files via "Open image in new tab". This issue has been addressed in commit
- CVE-2023-25577Feb 14, 2023affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory
- CVE-2023-23934Feb 14, 2023affected < 2.4.0-r0fixed 2.4.0-r0
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad
- CVE-2021-32862Aug 18, 2022affected < 2.4.0-r0fixed 2.4.0-r0
The GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vul
- CVE-2022-29241Jun 14, 2022affected < 2.4.0-r0fixed 2.4.0-r0
Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications like Jupyter Notebook. Prior to version 1.17.1, if notebook server is started with a value of `root_dir` that contains the starting user's home directory, then the
- CVE-2022-21699Jan 19, 2022affected < 2.4.0-r0fixed 2.4.0-r0
IPython (Interactive Python) is a command shell for interactive computing in multiple programming languages, originally developed for the Python programming language. Affected versions are subject to an arbitrary code execution vulnerability achieved by not properly managing cros
Page 5 of 5