VYPR

apk package

chainguard/camunda-zeebe-8.4-compat

pkg:apk/chainguard/camunda-zeebe-8.4-compat

Vulnerabilities (8)

  • CVE-2026-21452Jan 2, 2026
    affected < 8.4.21-r11fixed 8.4.21-r11

    MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers

  • CVE-2025-68161Dec 18, 2025
    affected < 8.4.21-r10fixed 8.4.21-r10

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-67735Dec 16, 2025
    affected < 8.4.21-r9fixed 8.4.21-r9

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-8916MedAug 13, 2025
    affected < 8.4.21-r8fixed 8.4.21-r8

    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API m

  • CVE-2025-48924Jul 11, 2025
    affected < 8.4.21-r1fixed 8.4.21-r1

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2025-41234MedJun 12, 2025
    affected < 8.4.20-r1fixed 8.4.20-r1

    Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s

  • CVE-2025-22233LowMay 16, 2025
    affected < 8.4.20-r0fixed 8.4.20-r0

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp

  • CVE-2025-22235HigApr 28, 2025
    affected < 8.4.18-r1fixed 8.4.18-r1

    EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed. Your application may be affected by this if all the following conditions are met: * You use Spring Security * EndpointR