VYPR

apk package

chainguard/pinot

pkg:apk/chainguard/pinot

Vulnerabilities (36)

  • CVE-2026-50020MedJun 12, 2026
    affected < 1.5.0-r21fixed 1.5.0-r21

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0

  • CVE-2026-48059HigJun 12, 2026
    affected < 1.5.0-r18fixed 1.5.0-r18

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid heade

  • CVE-2026-48043MedJun 12, 2026
    affected < 1.5.0-r20fixed 1.5.0-r20

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedCh

  • CVE-2026-47691HigJun 12, 2026
    affected < 1.5.0-r16fixed 1.5.0-r16

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an a

  • CVE-2026-47244MedJun 12, 2026
    affected < 1.5.0-r20fixed 1.5.0-r20

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTING

  • CVE-2026-46340HigJun 12, 2026
    affected < 1.5.0-r17fixed 1.5.0-r17

    Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag,

  • CVE-2026-45674HigJun 12, 2026
    affected < 1.5.0-r16fixed 1.5.0-r16

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Fina

  • CVE-2026-45673MedJun 12, 2026
    affected < 1.5.0-r16fixed 1.5.0-r16

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination r

  • CVE-2026-45536MedJun 12, 2026
    affected < 1.5.0-r22fixed 1.5.0-r22

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_

  • CVE-2026-45416HigJun 12, 2026
    affected < 1.5.0-r15fixed 1.5.0-r15

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly all

  • CVE-2026-44893HigJun 12, 2026
    affected < 1.5.0-r18fixed 1.5.0-r18

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2_TYPE_SSL TLV, HAProxyMessage.readNextTLV() first calls `header.retainedSlice(header.readerIndex()

  • CVE-2026-44890HigJun 11, 2026
    affected < 1.5.0-r14fixed 1.5.0-r14

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending crafted Redis payloads across multiple connections without `\r\n`. This exhausts t

  • CVE-2026-44250HigJun 11, 2026
    affected < 1.5.0-r14fixed 1.5.0-r14

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-redis prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can cause DoS by sending a crafted Redis payload with deeply nested arrays. This forces the server to alloc

  • CVE-2026-44249HigJun 11, 2026
    affected < 1.5.0-r15fixed 1.5.0-r15

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub

  • CVE-2026-45300HigJun 5, 2026
    affected < 1.5.0-r10fixed 1.5.0-r10

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. Versions on the 2.x branch prior to 2.15.0 and the 3.x branch prior to 3.0.10 leak `Cookie` headers to cross-origin redirect targets. When followi

  • CVE-2026-45205MedMay 14, 2026
    affected < 1.5.0-r11fixed 1.5.0-r11

    Uncontrolled Recursion vulnerability in Apache Commons. When processing an untrusted configuration file, Commons Configuration will throw a StackOverflowError for YAML input with cycles. This issue affects Apache Commons: from 2.2 before 2.15.0. Users are recommended to upgrade

  • CVE-2026-44248MedMay 13, 2026
    affected < 1.5.0-r7fixed 1.5.0-r7

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is

  • CVE-2026-42587HigMay 13, 2026
    affected < 1.5.0-r5fixed 1.5.0-r5

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for

  • CVE-2026-42586MedMay 13, 2026
    affected < 1.5.0-r8fixed 1.5.0-r8

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) cha

  • CVE-2026-42583HigMay 13, 2026
    affected < 1.5.0-r6fixed 1.5.0-r6

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload

Page 1 of 2