apk package
chainguard/geoserver-2.27-docker
pkg:apk/chainguard/geoserver-2.27-docker
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68161 | — | < 2.27.4-r1 | 2.27.4-r1 | Dec 18, 2025 | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co | ||
| CVE-2025-48976 | — | < 2.27.1-r1 | 2.27.1-r1 | Jun 16, 2025 | Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or | ||
| CVE-2024-38819 | Hig | 7.5 | < 2.27.3-r0 | 2.27.3-r0 | Dec 19, 2024 | Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S | |
| CVE-2024-38828 | Med | 5.3 | < 2.27.3-r0 | 2.27.3-r0 | Nov 18, 2024 | Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack. | |
| CVE-2023-35042 | — | < 2.27.3-r0 | 2.27.3-r0 | Jun 12, 2023 | GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in | ||
| CVE-2016-1000027 | — | < 0 | 0 | Jan 2, 2020 | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO |
- CVE-2025-68161Dec 18, 2025affected < 2.27.4-r1fixed 2.27.4-r1
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
- CVE-2025-48976Jun 16, 2025affected < 2.27.1-r1fixed 2.27.1-r1
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or
- affected < 2.27.3-r0fixed 2.27.3-r0
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S
- affected < 2.27.3-r0fixed 2.27.3-r0
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
- CVE-2023-35042Jun 12, 2023affected < 2.27.3-r0fixed 2.27.3-r0
GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023. NOTE: the vendor states that they are unable to reproduce this in
- CVE-2016-1000027Jan 2, 2020affected < 0fixed 0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO