VYPR

apk package

chainguard/camunda-zeebe-8.9

pkg:apk/chainguard/camunda-zeebe-8.9

Vulnerabilities (47)

  • CVE-2026-43514LowMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older

  • CVE-2026-43513HigMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older un

  • CVE-2026-43512CriMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older

  • CVE-2026-42498HigMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, f

  • CVE-2026-41293CriMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users

  • CVE-2026-41284HigMay 12, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are reco

  • CVE-2026-41712HigMay 12, 2026
    affected < 8.9.5-r3fixed 8.9.5-r3

    Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

  • CVE-2026-41417MedMay 6, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-42198HigApr 29, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-22745MedApr 29, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is

  • CVE-2026-22741LowApr 29, 2026
    affected < 8.9.5-r2fixed 8.9.5-r2

    Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuri

  • CVE-2026-40976CriApr 28, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default we

  • CVE-2026-40973HigApr 28, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session

  • CVE-2026-22754HigApr 22, 2026
    affected < 8.9.1-r1fixed 8.9.1-r1

    Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exer

  • CVE-2026-22753HigApr 22, 2026
    affected < 8.9.1-r1fixed 8.9.1-r1

    Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intend

  • CVE-2026-22748MedApr 22, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.

  • CVE-2026-22747MedApr 22, 2026
    affected < 8.9.1-r2fixed 8.9.1-r2

    Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonati

  • CVE-2026-22746LowApr 22, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are

  • CVE-2026-22751MedApr 21, 2026
    affected < 8.9.5-r0fixed 8.9.5-r0

    Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu

  • CVE-2026-5588MedApr 15, 2026
    affected < 8.9.1-r0fixed 8.9.1-r0

    Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modul