apk package
wolfi/sqlpad
pkg:apk/wolfi/sqlpad
Vulnerabilities (63)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-12905 | Hig | 7.5 | < 7.5.3-r1 | 7.5.3-r1 | Mar 27, 2025 | An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrit | |
| CVE-2025-29775 | Cri | — | < 7.5.2-r2 | 7.5.2-r2 | Mar 14, 2025 | xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed | |
| CVE-2025-29774 | Cri | — | < 7.5.2-r2 | 7.5.2-r2 | Mar 14, 2025 | xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed | |
| CVE-2024-52798 | Hig | — | < 7.5.2-r0 | 7.5.2-r0 | Dec 5, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path | |
| CVE-2024-21538 | Hig | 7.5 | < 7.5.1-r1 | 7.5.1-r1 | Nov 8, 2024 | Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted | |
| CVE-2024-47764 | Med | — | < 7.5.2-r2 | 7.5.2-r2 | Oct 4, 2024 | cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo | |
| CVE-2024-45590 | — | < 7.5.0-r1 | 7.5.0-r1 | Sep 10, 2024 | body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is | ||
| CVE-2024-43800 | — | < 7.5.0-r1 | 7.5.0-r1 | Sep 10, 2024 | serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0. | ||
| CVE-2024-43799 | — | < 7.5.0-r1 | 7.5.0-r1 | Sep 10, 2024 | Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. | ||
| CVE-2024-43796 | — | < 7.5.0-r1 | 7.5.0-r1 | Sep 10, 2024 | Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0. | ||
| CVE-2024-45296 | Hig | 7.5 | < 7.5.0-r1 | 7.5.0-r1 | Sep 9, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will | |
| CVE-2024-35255 | — | < 7.4.3-r0 | 7.4.3-r0 | Jun 11, 2024 | Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability | ||
| CVE-2024-21512 | Hig | 8.2 | < 7.4.3-r0 | 7.4.3-r0 | May 29, 2024 | Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables. | |
| CVE-2024-29415 | Hig | 8.1 | < 7.4.3-r0 | 7.4.3-r0 | May 27, 2024 | The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for | |
| CVE-2024-21511 | Cri | 9.8 | < 7.4.1-r4 | 7.4.1-r4 | Apr 23, 2024 | Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function. | |
| CVE-2024-21508 | Cri | 9.8 | < 7.4.1-r4 | 7.4.1-r4 | Apr 11, 2024 | Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values. | |
| CVE-2024-21507 | — | < 7.4.1-r4 | 7.4.1-r4 | Apr 10, 2024 | Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key. | ||
| CVE-2024-21509 | — | < 7.4.1-r4 | 7.4.1-r4 | Apr 10, 2024 | Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js. | ||
| CVE-2024-22363 | Hig | 7.5 | < 7.4.1-r3 | 7.4.1-r3 | Apr 5, 2024 | SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS). | |
| CVE-2024-29041 | — | < 7.4.1-r3 | 7.4.1-r3 | Mar 25, 2024 | Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres |
- affected < 7.5.3-r1fixed 7.5.3-r1
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrit
- affected < 7.5.2-r2fixed 7.5.2-r2
xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed
- affected < 7.5.2-r2fixed 7.5.2-r2
xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed
- affected < 7.5.2-r0fixed 7.5.2-r0
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. The regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of path
- affected < 7.5.1-r1fixed 7.5.1-r1
Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted
- affected < 7.5.2-r2fixed 7.5.2-r2
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
- CVE-2024-45590Sep 10, 2024affected < 7.5.0-r1fixed 7.5.0-r1
body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This is
- CVE-2024-43800Sep 10, 2024affected < 7.5.0-r1fixed 7.5.0-r1
serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to redirect() may execute untrusted code. This issue is patched in serve-static 1.16.0.
- CVE-2024-43799Sep 10, 2024affected < 7.5.0-r1fixed 7.5.0-r1
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
- CVE-2024-43796Sep 10, 2024affected < 7.5.0-r1fixed 7.5.0-r1
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
- affected < 7.5.0-r1fixed 7.5.0-r1
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
- CVE-2024-35255Jun 11, 2024affected < 7.4.3-r0fixed 7.4.3-r0
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
- affected < 7.4.3-r0fixed 7.4.3-r0
Versions of the package mysql2 before 3.9.8 are vulnerable to Prototype Pollution due to improper user input sanitization passed to fields and tables when using nestTables.
- affected < 7.4.3-r0fixed 7.4.3-r0
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for
- affected < 7.4.1-r4fixed 7.4.1-r4
Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function.
- affected < 7.4.1-r4fixed 7.4.1-r4
Versions of the package mysql2 before 3.9.4 are vulnerable to Remote Code Execution (RCE) via the readCodeFor function due to improper validation of the supportBigNumbers and bigNumberStrings values.
- CVE-2024-21507Apr 10, 2024affected < 7.4.1-r4fixed 7.4.1-r4
Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.
- CVE-2024-21509Apr 10, 2024affected < 7.4.1-r4fixed 7.4.1-r4
Versions of the package mysql2 before 3.9.4 are vulnerable to Prototype Poisoning due to insecure results object creation and improper user input sanitization passed through parserFn in text_parser.js and binary_parser.js.
- affected < 7.4.1-r3fixed 7.4.1-r3
SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS).
- CVE-2024-29041Mar 25, 2024affected < 7.4.1-r3fixed 7.4.1-r3
Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are affected by an open redirect vulnerability using malformed URLs. When a user of Express performs a redirect using a user-provided URL Expres
Page 3 of 4