VYPR

apk package

chainguard/celeborn-0.5

pkg:apk/chainguard/celeborn-0.5

Vulnerabilities (38)

  • CVE-2026-48059HigJun 12, 2026
    affected < 0.5.4-r26fixed 0.5.4-r26

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid heade

  • CVE-2026-48006HigJun 12, 2026
    affected < 0.5.4-r25fixed 0.5.4-r25

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array

  • CVE-2026-46340HigJun 12, 2026
    affected < 0.5.4-r26fixed 0.5.4-r26

    Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag,

  • CVE-2026-44893HigJun 12, 2026
    affected < 0.5.4-r26fixed 0.5.4-r26

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex()

  • CVE-2026-44890HigJun 11, 2026
    affected < 0.5.4-r25fixed 0.5.4-r25

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts t

  • CVE-2026-44250HigJun 11, 2026
    affected < 0.5.4-r25fixed 0.5.4-r25

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to alloc

  • CVE-2026-44248MedMay 13, 2026
    affected < 0.5.4-r23fixed 0.5.4-r23

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is

  • CVE-2026-42586MedMay 13, 2026
    affected < 0.5.4-r23fixed 0.5.4-r23

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) cha

  • CVE-2026-42578HigMay 13, 2026
    affected < 0.5.4-r23fixed 0.5.4-r23

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea

  • CVE-2026-42577HigMay 13, 2026
    affected < 0.5.4-r22fixed 0.5.4-r22

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-34480HigApr 10, 2026
    affected < 0.5.4-r21fixed 0.5.4-r21

    Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene

  • CVE-2026-34479HigApr 10, 2026
    affected < 0.5.4-r22fixed 0.5.4-r22

    The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downs

  • CVE-2026-33870Mar 27, 2026
    affected < 0.5.4-r19fixed 0.5.4-r19

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2025-33042Feb 13, 2026
    affected < 0.5.4-r17fixed 0.5.4-r17

    Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrad

  • CVE-2025-68161Dec 18, 2025
    affected < 0.5.4-r13fixed 0.5.4-r13

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-67735Dec 16, 2025
    affected < 0.5.4-r19fixed 0.5.4-r19

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-12383Nov 18, 2025
    affected < 0.5.4-r10fixed 0.5.4-r10

    In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

  • CVE-2025-59419MedOct 15, 2025
    affected < 0.5.4-r8fixed 0.5.4-r8

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) char

  • CVE-2025-52999HigJun 25, 2025
    affected < 0.5.4-r19fixed 0.5.4-r19

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de

  • CVE-2024-47535Nov 12, 2024
    affected < 0.5.4-r26fixed 0.5.4-r26

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application

Page 1 of 2