VYPR

apk package

chainguard/jitsucom-jitsu

pkg:apk/chainguard/jitsucom-jitsu

Vulnerabilities (34)

  • CVE-2024-56332Jan 3, 2025
    affected < 2.8.5-r3fixed 2.8.5-r3

    Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Serve

  • CVE-2024-55565MedDec 9, 2024
    affected < 2.8.5-r0fixed 2.8.5-r0

    nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 is also a fixed version.

  • CVE-2024-47831Oct 14, 2024
    affected < 2.8.2-r1fixed 2.8.2-r1

    Next.js is a React Framework for the Web. Cersions on the 10.x, 11.x, 12.x, 13.x, and 14.x branches before version 14.2.7 contain a vulnerability in the image optimization feature which allows for a potential Denial of Service (DoS) condition which could lead to excessive CPU con

  • CVE-2024-47764MedOct 4, 2024
    affected < 2.8.2-r2fixed 2.8.2-r2

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-46982Sep 17, 2024
    affected < 2.8.2-r1fixed 2.8.2-r1

    Next.js is a React framework for building full-stack web applications. By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it

  • CVE-2024-39338Aug 9, 2024
    affected < 2.8.0-r1fixed 2.8.0-r1

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-37168MedJun 10, 2024
    affected < 2.7.0-r1fixed 2.7.0-r1

    @grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` chann

  • CVE-2024-34351May 9, 2024
    affected < 2.8.0-r0fixed 2.8.0-r0

    Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able

  • CVE-2022-37620Oct 31, 2022
    affected < 2.8.4-r0fixed 2.8.4-r0

    A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.

  • CVE-2022-37601Oct 12, 2022
    affected < 2.11.0-r6fixed 2.11.0-r6

    Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3.

  • CVE-2021-42740Oct 21, 2021
    affected < 0fixed 0

    The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command wi

  • CVE-2018-3739CriJun 7, 2018
    affected < 0fixed 0

    https-proxy-agent before 2.1.1 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).

  • CVE-2016-10541CriMay 31, 2018
    affected < 0fixed 0

    The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.

  • CVE-2015-9235CriMay 29, 2018
    affected < 0fixed 0

    In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

Page 2 of 2