apk package

chainguard/geoserver-2.27-community

pkg:apk/chainguard/geoserver-2.27-community

Vulnerabilities (18)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-42198	Hig	7.5		< 2.27.5-r8	2.27.5-r8	Apr 29, 2026	pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg
CVE-2026-41044	Hig	8.8		< 2.27.5-r9	2.27.5-r9	Apr 24, 2026	Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses nam
CVE-2026-41043	Med	6.5		< 2.27.5-r9	2.27.5-r9	Apr 24, 2026	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of
CVE-2026-40466	Hig	8.8		< 2.27.5-r9	2.27.5-r9	Apr 24, 2026	Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery tran
CVE-2026-34480	Hig	7.5		< 2.27.5-r6	2.27.5-r6	Apr 10, 2026	Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene
CVE-2026-34478	Hig	7.5		< 2.27.5-r6	2.27.5-r6	Apr 10, 2026	Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc
CVE-2026-34477	Med	5.9		< 2.27.5-r6	2.27.5-r6	Apr 10, 2026	The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
CVE-2026-39304	Hig	7.5		< 2.27.5-r3	2.27.5-r3	Apr 10, 2026	Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger upd
CVE-2026-34197	Hig	8.8	KEV	< 2.27.5-r3	2.27.5-r3	Apr 7, 2026	Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permi
CVE-2026-33227	Med	4.3		< 2.27.5-r3	2.27.5-r3	Apr 7, 2026	Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web co
CVE-2025-66168	Med	5.4		< 2.27.5-r2	2.27.5-r2	Mar 4, 2026	WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046
CVE-2025-68161		—		< 2.27.4-r1	2.27.4-r1	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-48976		—		< 2.27.1-r1	2.27.1-r1	Jun 16, 2025	Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or
CVE-2024-38819	Hig	7.5		< 2.27.3-r0	2.27.3-r0	Dec 19, 2024	Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S
CVE-2024-38828	Med	5.3		< 2.27.3-r0	2.27.3-r0	Nov 18, 2024	Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
CVE-2023-35042		—		< 2.27.3-r0	2.27.3-r0	Jun 12, 2023	GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in
CVE-2020-11971		—		< 2.27.5-r2	2.27.5-r2	May 14, 2020	Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
CVE-2016-1000027		—		< 0	0	Jan 2, 2020	Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO

CVE-2026-42198HigApr 29, 2026
affected < 2.27.5-r8fixed 2.27.5-r8
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg
CVE-2026-41044HigApr 24, 2026
affected < 2.27.5-r9fixed 2.27.5-r9
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses nam
CVE-2026-41043MedApr 24, 2026
affected < 2.27.5-r9fixed 2.27.5-r9
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of
CVE-2026-40466HigApr 24, 2026
affected < 2.27.5-r9fixed 2.27.5-r9
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery tran
CVE-2026-34480HigApr 10, 2026
affected < 2.27.5-r6fixed 2.27.5-r6
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene
CVE-2026-34478HigApr 10, 2026
affected < 2.27.5-r6fixed 2.27.5-r6
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc
CVE-2026-34477MedApr 10, 2026
affected < 2.27.5-r6fixed 2.27.5-r6
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
CVE-2026-39304HigApr 10, 2026
affected < 2.27.5-r3fixed 2.27.5-r3
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger upd
CVE-2026-34197HigKEVApr 7, 2026
affected < 2.27.5-r3fixed 2.27.5-r3
Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permi
CVE-2026-33227MedApr 7, 2026
affected < 2.27.5-r3fixed 2.27.5-r3
Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web co
CVE-2025-66168MedMar 4, 2026
affected < 2.27.5-r2fixed 2.27.5-r2
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046
CVE-2025-68161Dec 18, 2025
affected < 2.27.4-r1fixed 2.27.4-r1
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-48976Jun 16, 2025
affected < 2.27.1-r1fixed 2.27.1-r1
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or
CVE-2024-38819HigDec 19, 2024
affected < 2.27.3-r0fixed 2.27.3-r0
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S
CVE-2024-38828MedNov 18, 2024
affected < 2.27.3-r0fixed 2.27.3-r0
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
CVE-2023-35042Jun 12, 2023
affected < 2.27.3-r0fixed 2.27.3-r0
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in
CVE-2020-11971May 14, 2020
affected < 2.27.5-r2fixed 2.27.5-r2
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
CVE-2016-1000027Jan 2, 2020
affected < 0fixed 0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO