VYPR

apk package

chainguard/seata-server

pkg:apk/chainguard/seata-server

Vulnerabilities (41)

  • CVE-2026-42583HigMay 13, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload

  • CVE-2026-42581MedMay 13, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T

  • CVE-2026-42580MedMay 13, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

  • CVE-2026-42579HigMay 13, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon

  • CVE-2026-42578HigMay 13, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea

  • CVE-2026-42577HigMay 13, 2026
    affected < 2.6.0-r8fixed 2.6.0-r8

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-41417MedMay 6, 2026
    affected < 2.6.0-r9fixed 2.6.0-r9

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-42198HigApr 29, 2026
    affected < 2.6.0-r10fixed 2.6.0-r10

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-33558MedApr 20, 2026
    affected < 2.6.0-r8fixed 2.6.0-r8

    Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit

  • CVE-2026-35554HigApr 7, 2026
    affected < 2.6.0-r8fixed 2.6.0-r8

    A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch

  • CVE-2026-33871Mar 27, 2026
    affected < 2.6.0-r6fixed 2.6.0-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 2.6.0-r6fixed 2.6.0-r6

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-24308Mar 7, 2026
    affected < 2.6.0-r4fixed 2.6.0-r4

    Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p

  • CVE-2026-24281Mar 7, 2026
    affected < 2.6.0-r4fixed 2.6.0-r4

    Hostname verification in Apache ZooKeeper ZKTrustManager falls back to reverse DNS (PTR) when IP SAN validation fails, allowing attackers who control or spoof PTR records to impersonate ZooKeeper servers or clients with a valid certificate for the PTR name. It's important to note

  • CVE-2025-67735Dec 16, 2025
    affected < 2.5.0-r4fixed 2.5.0-r4

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-61795MedOct 27, 2025
    affected < 2.5.0-r3fixed 2.5.0-r3

    Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage co

  • CVE-2025-55754CriOct 27, 2025
    affected < 2.5.0-r3fixed 2.5.0-r3

    Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was po

  • CVE-2025-55752HigOct 27, 2025
    affected < 2.5.0-r3fixed 2.5.0-r3

    Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL,

  • CVE-2025-59419MedOct 15, 2025
    affected < 2.5.0-r1fixed 2.5.0-r1

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.128.Final and 4.2.7.Final, the SMTP codec in Netty contains an SMTP command injection vulnerability due to insufficient input validation for Carriage Return (\r) and Line Feed (\n) char

  • CVE-2024-38819HigDec 19, 2024
    affected < 2.5.0-r3fixed 2.5.0-r3

    Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S