apk package
chainguard/request-1277
pkg:apk/chainguard/request-1277
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-47535 | — | < 0 | 0 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | ||
| CVE-2024-47554 | — | < 0.1.87-r1 | 0.1.87-r1 | Oct 3, 2024 | Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are | ||
| CVE-2021-47621 | Hig | 7.5 | < 0.1.89-r0 | 0.1.89-r0 | Jun 21, 2024 | ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks. | |
| CVE-2024-29025 | — | < 0.1.89-r0 | 0.1.89-r0 | Mar 25, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t | ||
| CVE-2021-46877 | — | < 0.1.89-r0 | 0.1.89-r0 | Mar 18, 2023 | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | ||
| CVE-2022-1471 | — | < 0.1.89-r0 | 0.1.89-r0 | Dec 1, 2022 | SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric | ||
| CVE-2022-41854 | — | < 0.1.89-r0 | 0.1.89-r0 | Nov 11, 2022 | Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service | ||
| CVE-2022-42004 | — | < 0.1.89-r0 | 0.1.89-r0 | Oct 2, 2022 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||
| CVE-2022-42003 | — | < 0.1.89-r0 | 0.1.89-r0 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2022-38752 | — | < 0.1.89-r0 | 0.1.89-r0 | Sep 5, 2022 | Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow. | ||
| CVE-2022-38751 | — | < 0.1.89-r0 | 0.1.89-r0 | Sep 5, 2022 | Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. | ||
| CVE-2022-38750 | — | < 0.1.89-r0 | 0.1.89-r0 | Sep 5, 2022 | Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. | ||
| CVE-2022-38749 | — | < 0.1.89-r0 | 0.1.89-r0 | Sep 5, 2022 | Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. | ||
| CVE-2022-25857 | — | < 0.1.89-r0 | 0.1.89-r0 | Aug 30, 2022 | The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||
| CVE-2020-36518 | — | < 0.1.89-r0 | 0.1.89-r0 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
- CVE-2024-47535Nov 12, 2024affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- CVE-2024-47554Oct 3, 2024affected < 0.1.87-r1fixed 0.1.87-r1
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
- affected < 0.1.89-r0fixed 0.1.89-r0
ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.
- CVE-2024-29025Mar 25, 2024affected < 0.1.89-r0fixed 0.1.89-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
- CVE-2021-46877Mar 18, 2023affected < 0.1.89-r0fixed 0.1.89-r0
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
- CVE-2022-1471Dec 1, 2022affected < 0.1.89-r0fixed 0.1.89-r0
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric
- CVE-2022-41854Nov 11, 2022affected < 0.1.89-r0fixed 0.1.89-r0
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service
- CVE-2022-42004Oct 2, 2022affected < 0.1.89-r0fixed 0.1.89-r0
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- CVE-2022-42003Oct 2, 2022affected < 0.1.89-r0fixed 0.1.89-r0
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-38752Sep 5, 2022affected < 0.1.89-r0fixed 0.1.89-r0
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
- CVE-2022-38751Sep 5, 2022affected < 0.1.89-r0fixed 0.1.89-r0
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
- CVE-2022-38750Sep 5, 2022affected < 0.1.89-r0fixed 0.1.89-r0
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
- CVE-2022-38749Sep 5, 2022affected < 0.1.89-r0fixed 0.1.89-r0
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
- CVE-2022-25857Aug 30, 2022affected < 0.1.89-r0fixed 0.1.89-r0
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
- CVE-2020-36518Mar 11, 2022affected < 0.1.89-r0fixed 0.1.89-r0
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.