apk package
chainguard/apicurio-registry-nginx-config
pkg:apk/chainguard/apicurio-registry-nginx-config
Vulnerabilities (20)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59250 | — | < 3.1.4-r2 | 3.1.4-r2 | Oct 14, 2025 | Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-58057 | — | < 3.0.13-r1 | 3.0.13-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-58056 | — | < 3.0.14-r1 | 3.0.14-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch | ||
| CVE-2025-55163 | — | < 3.0.12-r1 | 3.0.12-r1 | Aug 13, 2025 | Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the | ||
| CVE-2025-7962 | — | < 3.0.11-r1 | 3.0.11-r1 | Jul 21, 2025 | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | ||
| CVE-2025-48924 | — | < 3.0.9-r5 | 3.0.9-r5 | Jul 11, 2025 | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr | ||
| CVE-2025-53864 | Med | 5.8 | < 3.0.9-r6 | 3.0.9-r6 | Jul 11, 2025 | Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca | |
| CVE-2025-49146 | — | < 3.0.9-r2 | 3.0.9-r2 | Jun 11, 2025 | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that | ||
| CVE-2025-27817 | — | < 3.0.9-r1 | 3.0.9-r1 | Jun 10, 2025 | A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk | ||
| CVE-2025-48734 | — | < 3.0.8-r0 | 3.0.8-r0 | May 28, 2025 | Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no | ||
| CVE-2025-4949 | — | < 3.0.7-r1 | 3.0.7-r1 | May 21, 2025 | In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte | ||
| CVE-2024-58103 | Med | 5.8 | < 3.1.2-r0 | 3.1.2-r0 | Mar 16, 2025 | Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt. | |
| CVE-2025-2240 | Hig | 7.5 | < 3.0.6-r2 | 3.0.6-r2 | Mar 12, 2025 | A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. | |
| CVE-2025-1634 | Hig | 7.5 | < 3.0.6-r2 | 3.0.6-r2 | Feb 26, 2025 | A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryErr | |
| CVE-2025-25193 | — | < 0 | 0 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | ||
| CVE-2025-24970 | — | < 3.0.6-r1 | 3.0.6-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas | ||
| CVE-2024-57699 | Hig | 7.5 | < 3.0.6-r1 | 3.0.6-r1 | Feb 5, 2025 | A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a | |
| CVE-2024-12397 | Hig | 7.4 | < 3.0.6-r1 | 3.0.6-r1 | Dec 12, 2024 | A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leadi | |
| CVE-2024-47535 | — | < 3.0.6-r1 | 3.0.6-r1 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | ||
| CVE-2012-5783 | — | < 3.0.6-r2 | 3.0.6-r2 | Nov 4, 2012 | Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows m |
- CVE-2025-59250Oct 14, 2025affected < 3.1.4-r2fixed 3.1.4-r2
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-58057Sep 3, 2025affected < 3.0.13-r1fixed 3.0.13-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-58056Sep 3, 2025affected < 3.0.14-r1fixed 3.0.14-r1
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
- CVE-2025-55163Aug 13, 2025affected < 3.0.12-r1fixed 3.0.12-r1
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
- CVE-2025-7962Jul 21, 2025affected < 3.0.11-r1fixed 3.0.11-r1
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
- CVE-2025-48924Jul 11, 2025affected < 3.0.9-r5fixed 3.0.9-r5
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
- affected < 3.0.9-r6fixed 3.0.9-r6
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca
- CVE-2025-49146Jun 11, 2025affected < 3.0.9-r2fixed 3.0.9-r2
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that
- CVE-2025-27817Jun 10, 2025affected < 3.0.9-r1fixed 3.0.9-r1
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
- CVE-2025-48734May 28, 2025affected < 3.0.8-r0fixed 3.0.8-r0
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
- CVE-2025-4949May 21, 2025affected < 3.0.7-r1fixed 3.0.7-r1
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte
- affected < 3.1.2-r0fixed 3.1.2-r0
Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.
- affected < 3.0.6-r2fixed 3.0.6-r2
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
- affected < 3.0.6-r2fixed 3.0.6-r2
A flaw was found in the quarkus-resteasy extension, which causes memory leaks when client requests with low timeouts are made. If a client request times out, a buffer is not released correctly, leading to increased memory usage and eventual application crash due to OutOfMemoryErr
- CVE-2025-25193Feb 10, 2025affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- CVE-2025-24970Feb 10, 2025affected < 3.0.6-r1fixed 3.0.6-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
- affected < 3.0.6-r1fixed 3.0.6-r1
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a
- affected < 3.0.6-r1fixed 3.0.6-r1
A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leadi
- CVE-2024-47535Nov 12, 2024affected < 3.0.6-r1fixed 3.0.6-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- CVE-2012-5783Nov 4, 2012affected < 3.0.6-r2fixed 3.0.6-r2
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows m