VYPR

apk package

chainguard/knative-kafka-broker-fips-1.20-dispatcher-loom

pkg:apk/chainguard/knative-kafka-broker-fips-1.20-dispatcher-loom

Vulnerabilities (26)

  • CVE-2026-41417MedMay 6, 2026
    affected < 1.20.3-r6fixed 1.20.3-r6

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-6860MedMay 6, 2026
    affected < 1.20.3-r6fixed 1.20.3-r6

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2026-35554HigApr 7, 2026
    affected < 1.20.3-r2fixed 1.20.3-r2

    A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch

  • CVE-2026-33871Mar 27, 2026
    affected < 1.20.2-r4fixed 1.20.2-r4

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 1.20.2-r3fixed 1.20.2-r3

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2025-66566HigDec 5, 2025
    affected < 1.20.3-r2fixed 1.20.3-r2

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

Page 2 of 2