VYPR

apk package

chainguard/apache-activemq-fips-6.1

pkg:apk/chainguard/apache-activemq-fips-6.1

Vulnerabilities (17)

  • CVE-2026-54517medJun 23, 2026
    affected < 6.1.8-r11fixed 6.1.8-r11

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54514medJun 23, 2026
    affected < 6.1.8-r11fixed 6.1.8-r11

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected < 6.1.8-r11fixed 6.1.8-r11

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected < 6.1.8-r11fixed 6.1.8-r11

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-54518medJun 23, 2026
    affected < 6.1.8-r11fixed 6.1.8-r11

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2026-22745MedApr 29, 2026
    affected < 6.1.8-r7fixed 6.1.8-r7

    Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is

  • CVE-2026-22741LowApr 29, 2026
    affected < 6.1.8-r7fixed 6.1.8-r7

    Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuri

  • CVE-2026-40453CriApr 27, 2026
    affected < 6.1.8-r6fixed 6.1.8-r6

    The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP Header

  • CVE-2026-34480HigApr 10, 2026
    affected < 6.1.8-r3fixed 6.1.8-r3

    Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene

  • CVE-2026-34478HigApr 10, 2026
    affected < 6.1.8-r3fixed 6.1.8-r3

    Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc

  • CVE-2026-34477MedApr 10, 2026
    affected < 6.1.8-r3fixed 6.1.8-r3

    The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName

  • CVE-2026-22737MedMar 20, 2026
    affected < 6.1.8-r7fixed 6.1.8-r7

    Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 throug

  • CVE-2026-22735LowMar 20, 2026
    affected < 6.1.8-r7fixed 6.1.8-r7

    Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

  • CVE-2026-23903Feb 9, 2026
    affected < 6.1.8-r7fixed 6.1.8-r7

    Authentication Bypass by Alternate Name vulnerability in Apache Shiro. This issue affects Apache Shiro: before 2.0.7. Users are recommended to upgrade to version 2.0.7, which fixes the issue. The issue only effects static files. If static files are served from a case-insensiti

  • CVE-2025-68161Dec 18, 2025
    affected < 6.1.8-r3fixed 6.1.8-r3

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-41249HigSep 16, 2025
    affected < 6.1.8-r7fixed 6.1.8-r7

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-41242MedAug 18, 2025
    affected < 6.1.8-r7fixed 6.1.8-r7

    Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet co

VYPR — Vulnerability Intelligence