Resource Exhaustion Affecting kubeflow-pipelines package, versions <2.2.0-r9
Threat Intelligence
EPSS
0.06% (25th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-WOLFILATEST-KUBEFLOWPIPELINES-7677623
- published 13 Aug 2024
- disclosed 29 Jul 2024
Introduced: 29 Jul 2024
CVE-2024-41818 Open this link in a new tabHow to fix?
Upgrade Wolfi kubeflow-pipelines to version 2.2.0-r9 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kubeflow-pipelines package and not the kubeflow-pipelines package as distributed by Wolfi.
See How to fix? for Wolfi relevant fixed versions and status.
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
References
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa
- https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v
CVSS Scores
version 3.1