VYPR

apk package

chainguard/apache-nifi

pkg:apk/chainguard/apache-nifi

Vulnerabilities (97)

  • CVE-2024-25638HigJul 22, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

  • CVE-2024-37389Jul 8, 2024
    affected < 1.27.0-r0fixed 1.27.0-r0

    Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code,

  • CVE-2024-36124Jun 3, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this

  • CVE-2024-36114HigMay 29, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor

  • CVE-2024-30172HigMay 14, 2024
    affected < 2.6.0-r2fixed 2.6.0-r2

    An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

  • CVE-2024-30171MedMay 14, 2024
    affected < 1.26.0-r2fixed 1.26.0-r2

    An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

  • CVE-2024-29857HigMay 14, 2024
    affected < 1.26.0-r2fixed 1.26.0-r2

    An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during

  • CVE-2023-51775Dec 25, 2023
    affected < 2.6.0-r2fixed 2.6.0-r2

    The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.

  • CVE-2023-46120Oct 24, 2023
    affected < 2.6.0-r2fixed 2.6.0-r2

    The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U

  • CVE-2023-34462Jun 22, 2023
    affected < 2.6.0-r2fixed 2.6.0-r2

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does

  • CVE-2022-41915Dec 13, 2022
    affected < 2.6.0-r2fixed 2.6.0-r2

    Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values

  • CVE-2022-41881Dec 12, 2022
    affected < 2.6.0-r2fixed 2.6.0-r2

    Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor

  • CVE-2022-3510Nov 11, 2022
    affected < 2.6.0-r2fixed 2.6.0-r2

    A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat

  • CVE-2022-3509Nov 1, 2022
    affected < 2.6.0-r2fixed 2.6.0-r2

    A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown

  • CVE-2022-3171Oct 12, 2022
    affected < 2.6.0-r2fixed 2.6.0-r2

    A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be

  • CVE-2021-38153Sep 22, 2021
    affected < 1.26.0-r2fixed 1.26.0-r2

    Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera

  • CVE-2016-1000027Jan 2, 2020
    affected < 0fixed 0

    Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO

Page 5 of 5