VYPR

apk package

chainguard/apache-nifi-registry

pkg:apk/chainguard/apache-nifi-registry

Vulnerabilities (37)

  • CVE-2026-22737MedMar 20, 2026
    affected < 2.8.0-r3fixed 2.8.0-r3

    Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 throug

  • CVE-2026-22735LowMar 20, 2026
    affected < 2.8.0-r3fixed 2.8.0-r3

    Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.

  • CVE-2026-22733HigMar 20, 2026
    affected < 2.8.0-r3fixed 2.8.0-r3

    Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 th

  • CVE-2026-22732CriMar 19, 2026
    affected < 2.8.0-r2fixed 2.8.0-r2

    When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written.  This issue affects Spring Security Servlet applications using lazy (default) writing of HTTP Headers: : from 5.7.0

  • CVE-2026-22731HigMar 19, 2026
    affected < 2.8.0-r3fixed 2.8.0-r3

    Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot:

  • CVE-2026-1225LowJan 22, 2026
    affected < 2.7.2-r3fixed 2.7.2-r3

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti

  • CVE-2025-67735Dec 16, 2025
    affected < 2.7.2-r0fixed 2.7.2-r0

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-11226MedOct 1, 2025
    affected < 2.6.0-r1fixed 2.6.0-r1

    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia

  • CVE-2025-41249HigSep 16, 2025
    affected < 2.5.0-r7fixed 2.5.0-r7

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-41248HigSep 16, 2025
    affected < 2.5.0-r6fixed 2.5.0-r6

    The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in a

  • CVE-2025-5115Aug 20, 2025
    affected < 2.5.0-r2fixed 2.5.0-r2

    In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th

  • CVE-2025-41242MedAug 18, 2025
    affected < 2.5.0-r1fixed 2.5.0-r1

    Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet co

  • CVE-2025-48924Jul 11, 2025
    affected < 2.4.0-r4fixed 2.4.0-r4

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2025-53864MedJul 11, 2025
    affected < 2.4.0-r4fixed 2.4.0-r4

    Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca

  • CVE-2025-41234MedJun 12, 2025
    affected < 2.4.0-r3fixed 2.4.0-r3

    Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s

  • CVE-2025-4949May 21, 2025
    affected < 2.4.0-r1fixed 2.4.0-r1

    In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte

  • CVE-2025-22233LowMay 16, 2025
    affected < 2.4.0-r2fixed 2.4.0-r2

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp

Page 2 of 2