VYPR

apk package

chainguard/apache-hop-fips

pkg:apk/chainguard/apache-hop-fips

Vulnerabilities (52)

  • CVE-2025-12383Nov 18, 2025
    affected < 2.15.0-r16fixed 2.15.0-r16

    In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

  • CVE-2025-59419MedOct 15, 2025
    affected < 2.15.0-r15fixed 2.15.0-r15

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) char

  • CVE-2025-59250Oct 14, 2025
    affected < 2.15.0-r16fixed 2.15.0-r16

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-41249HigSep 16, 2025
    affected < 2.15.0-r14fixed 2.15.0-r14

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-58057Sep 3, 2025
    affected < 2.16.0-r0fixed 2.16.0-r0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 2.15.0-r11fixed 2.15.0-r11

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch

  • CVE-2025-55163Aug 13, 2025
    affected < 2.15.0-r1fixed 2.15.0-r1

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the

  • CVE-2025-48924Jul 11, 2025
    affected < 2.17.0-r7fixed 2.17.0-r7

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2024-8184Oct 14, 2024
    affected < 2.16.0-r0fixed 2.16.0-r0

    There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's

  • CVE-2024-9823Oct 14, 2024
    affected < 2.15.0-r2fixed 2.15.0-r2

    There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the s

  • CVE-2023-36479Sep 15, 2023
    affected < 2.15.0-r2fixed 2.15.0-r2

    Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac

  • CVE-2021-34429Jul 15, 2021
    affected < 2.16.0-r0fixed 2.16.0-r0

    For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G

Page 3 of 3