apk package
chainguard/apache-nifi
pkg:apk/chainguard/apache-nifi
Vulnerabilities (97)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-25638 | Hig | 8.9 | < 2.0.0-r0 | 2.0.0-r0 | Jul 22, 2024 | dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0. | |
| CVE-2024-37389 | — | < 1.27.0-r0 | 1.27.0-r0 | Jul 8, 2024 | Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code, | ||
| CVE-2024-36124 | — | < 2.0.0-r0 | 2.0.0-r0 | Jun 3, 2024 | iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this | ||
| CVE-2024-36114 | Hig | 8.6 | < 2.0.0-r0 | 2.0.0-r0 | May 29, 2024 | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor | |
| CVE-2024-30172 | Hig | 7.5 | < 2.6.0-r2 | 2.6.0-r2 | May 14, 2024 | An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key. | |
| CVE-2024-30171 | Med | 5.9 | < 1.26.0-r2 | 1.26.0-r2 | May 14, 2024 | An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. | |
| CVE-2024-29857 | Hig | 7.5 | < 1.26.0-r2 | 1.26.0-r2 | May 14, 2024 | An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during | |
| CVE-2023-51775 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 25, 2023 | The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value. | ||
| CVE-2023-46120 | — | < 2.6.0-r2 | 2.6.0-r2 | Oct 24, 2023 | The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U | ||
| CVE-2023-34462 | — | < 2.6.0-r2 | 2.6.0-r2 | Jun 22, 2023 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does | ||
| CVE-2022-41915 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 13, 2022 | Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values | ||
| CVE-2022-41881 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 12, 2022 | Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor | ||
| CVE-2022-3510 | — | < 2.6.0-r2 | 2.6.0-r2 | Nov 11, 2022 | A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat | ||
| CVE-2022-3509 | — | < 2.6.0-r2 | 2.6.0-r2 | Nov 1, 2022 | A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown | ||
| CVE-2022-3171 | — | < 2.6.0-r2 | 2.6.0-r2 | Oct 12, 2022 | A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be | ||
| CVE-2021-38153 | — | < 1.26.0-r2 | 1.26.0-r2 | Sep 22, 2021 | Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera | ||
| CVE-2016-1000027 | — | < 0 | 0 | Jan 2, 2020 | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO |
- affected < 2.0.0-r0fixed 2.0.0-r0
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
- CVE-2024-37389Jul 8, 2024affected < 1.27.0-r0fixed 1.27.0-r0
Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code,
- CVE-2024-36124Jun 3, 2024affected < 2.0.0-r0fixed 2.0.0-r0
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this
- affected < 2.0.0-r0fixed 2.0.0-r0
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor
- affected < 2.6.0-r2fixed 2.6.0-r2
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
- affected < 1.26.0-r2fixed 1.26.0-r2
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
- affected < 1.26.0-r2fixed 1.26.0-r2
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during
- CVE-2023-51775Dec 25, 2023affected < 2.6.0-r2fixed 2.6.0-r2
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
- CVE-2023-46120Oct 24, 2023affected < 2.6.0-r2fixed 2.6.0-r2
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U
- CVE-2023-34462Jun 22, 2023affected < 2.6.0-r2fixed 2.6.0-r2
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does
- CVE-2022-41915Dec 13, 2022affected < 2.6.0-r2fixed 2.6.0-r2
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values
- CVE-2022-41881Dec 12, 2022affected < 2.6.0-r2fixed 2.6.0-r2
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor
- CVE-2022-3510Nov 11, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
- CVE-2022-3509Nov 1, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
- CVE-2022-3171Oct 12, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
- CVE-2021-38153Sep 22, 2021affected < 1.26.0-r2fixed 1.26.0-r2
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera
- CVE-2016-1000027Jan 2, 2020affected < 0fixed 0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO
Page 5 of 5