VYPR

apk package

chainguard/camunda-zeebe-8.5

pkg:apk/chainguard/camunda-zeebe-8.5

Vulnerabilities (9)

  • CVE-2026-21452Jan 2, 2026
    affected < 8.5.25-r4fixed 8.5.25-r4

    MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers

  • CVE-2025-68161Dec 18, 2025
    affected < 8.5.25-r3fixed 8.5.25-r3

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-67735Dec 16, 2025
    affected < 8.5.25-r2fixed 8.5.25-r2

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-41249HigSep 16, 2025
    affected < 8.5.24-r2fixed 8.5.24-r2

    The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application m

  • CVE-2025-55163Aug 13, 2025
    affected < 8.5.22-r2fixed 8.5.22-r2

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the

  • CVE-2025-8916MedAug 13, 2025
    affected < 8.5.25-r1fixed 8.5.25-r1

    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API m

  • CVE-2025-22227MedJul 16, 2025
    affected < 8.5.20-r2fixed 8.5.20-r2

    In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

  • CVE-2025-41234MedJun 12, 2025
    affected < 8.5.19-r1fixed 8.5.19-r1

    Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-s

  • CVE-2025-22233LowMay 16, 2025
    affected < 8.5.19-r0fixed 8.5.19-r0

    CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks. Affected Spring Products and Versions Sp