VYPR

apk package

chainguard/scala-3.8

pkg:apk/chainguard/scala-3.8

Vulnerabilities (7)

  • CVE-2026-54517medJun 23, 2026
    affected < 3.8.4-r4fixed 3.8.4-r4

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54518medJun 23, 2026
    affected < 3.8.4-r4fixed 3.8.4-r4

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2025-52999HigJun 25, 2025
    affected < 3.8.4-r1fixed 3.8.4-r1

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de

  • CVE-2025-49128MedJun 6, 2025
    affected < 3.8.4-r1fixed 3.8.4-r1

    Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unint

  • CVE-2021-46877Mar 18, 2023
    affected < 3.8.4-r1fixed 3.8.4-r1

    jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

  • CVE-2022-42004Oct 2, 2022
    affected < 3.8.4-r1fixed 3.8.4-r1

    In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

  • CVE-2022-42003Oct 2, 2022
    affected < 3.8.4-r1fixed 3.8.4-r1

    In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.