VYPR

apk package

chainguard/kafka-bridge

pkg:apk/chainguard/kafka-bridge

Vulnerabilities (29)

  • CVE-2026-34481HigApr 10, 2026
    affected < 1.0.0-r1fixed 1.0.0-r1

    Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohib

  • CVE-2026-34480HigApr 10, 2026
    affected < 0.33.1-r14fixed 0.33.1-r14

    Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene

  • CVE-2026-34478HigApr 10, 2026
    affected < 1.0.0-r5fixed 1.0.0-r5

    Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc

  • CVE-2026-34477MedApr 10, 2026
    affected < 1.0.0-r5fixed 1.0.0-r5

    The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName

  • CVE-2026-33871Mar 27, 2026
    affected < 0.33.1-r13fixed 0.33.1-r13

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 0.33.1-r12fixed 0.33.1-r12

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-1002Jan 15, 2026
    affected < 0.33.1-r13fixed 0.33.1-r13

    The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co

  • CVE-2025-68161Dec 18, 2025
    affected < 0.33.1-r7fixed 0.33.1-r7

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-67735Dec 16, 2025
    affected < 0.33.1-r6fixed 0.33.1-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

Page 2 of 2