apk package
chainguard/camunda-zeebe-compat
pkg:apk/chainguard/camunda-zeebe-compat
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-25193 | — | < 8.6.9-r1 | 8.6.9-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | ||
| CVE-2025-24970 | — | < 8.6.9-r1 | 8.6.9-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas | ||
| CVE-2024-57699 | Hig | 7.5 | < 8.6.9-r1 | 8.6.9-r1 | Feb 5, 2025 | A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a | |
| CVE-2024-56337 | — | < 8.6.6-r2 | 8.6.6-r2 | Dec 20, 2024 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but ar | ||
| CVE-2024-50379 | — | < 8.6.6-r2 | 8.6.6-r2 | Dec 17, 2024 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr | ||
| CVE-2024-38829 | Low | 3.7 | < 8.6.6-r0 | 8.6.6-r0 | Dec 4, 2024 | A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLower | |
| CVE-2024-38827 | Med | 4.8 | < 8.6.5-r0 | 8.6.5-r0 | Dec 2, 2024 | The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly. | |
| CVE-2024-47535 | — | < 8.6.6-r0 | 8.6.6-r0 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | ||
| CVE-2024-38821 | Cri | 9.1 | < 8.6.5-r0 | 8.6.5-r0 | Oct 28, 2024 | Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's | |
| CVE-2024-38820 | — | < 8.6.5-r0 | 8.6.5-r0 | Oct 18, 2024 | The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. | ||
| CVE-2024-7254 | — | < 8.6.5-r0 | 8.6.5-r0 | Sep 19, 2024 | Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf | ||
| CVE-2024-38816 | Hig | 7.5 | < 8.6.5-r0 | 8.6.5-r0 | Sep 13, 2024 | Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S |
- CVE-2025-25193Feb 10, 2025affected < 8.6.9-r1fixed 8.6.9-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- CVE-2025-24970Feb 10, 2025affected < 8.6.9-r1fixed 8.6.9-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
- affected < 8.6.9-r1fixed 8.6.9-r1
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a
- CVE-2024-56337Dec 20, 2024affected < 8.6.6-r2fixed 8.6.6-r2
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but ar
- CVE-2024-50379Dec 17, 2024affected < 8.6.6-r2fixed 8.6.6-r2
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr
- affected < 8.6.6-r0fixed 8.6.6-r0
A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLower
- affected < 8.6.5-r0fixed 8.6.5-r0
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
- CVE-2024-47535Nov 12, 2024affected < 8.6.6-r0fixed 8.6.6-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- affected < 8.6.5-r0fixed 8.6.5-r0
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's
- CVE-2024-38820Oct 18, 2024affected < 8.6.5-r0fixed 8.6.5-r0
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
- CVE-2024-7254Sep 19, 2024affected < 8.6.5-r0fixed 8.6.5-r0
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
- affected < 8.6.5-r0fixed 8.6.5-r0
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S