VYPR

apk package

chainguard/cassandra-4.0

pkg:apk/chainguard/cassandra-4.0

Vulnerabilities (13)

  • CVE-2026-54517medJun 23, 2026
    affected < 4.0.20-r1fixed 4.0.20-r1

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54514medJun 23, 2026
    affected < 4.0.20-r1fixed 4.0.20-r1

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected < 4.0.20-r1fixed 4.0.20-r1

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected < 4.0.20-r1fixed 4.0.20-r1

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-54518medJun 23, 2026
    affected < 4.0.20-r1fixed 4.0.20-r1

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2025-66566HigDec 5, 2025
    affected < 4.0.20-r0fixed 4.0.20-r0

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

  • CVE-2025-12183HigNov 28, 2025
    affected < 4.0.19-r5fixed 4.0.19-r5

    Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

  • CVE-2025-48924Jul 11, 2025
    affected < 4.0.18-r2fixed 4.0.18-r2

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2025-52999HigJun 25, 2025
    affected < 4.0.18-r1fixed 4.0.18-r1

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de

  • CVE-2023-6378Nov 29, 2023
    affected < 0fixed 0

    A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

  • CVE-2023-2976Jun 14, 2023
    affected < 0fixed 0

    Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to

  • CVE-2022-1471Dec 1, 2022
    affected < 0fixed 0

    SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric

  • CVE-2020-8908Dec 10, 2020
    affected < 0fixed 0

    A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the