apk package
chainguard/solr-oci-compat
pkg:apk/chainguard/solr-oci-compat
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58457 | Med | 4.3 | < 9.9.0-r3 | 9.9.0-r3 | Sep 24, 2025 | Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. | |
| CVE-2025-58057 | Hig | 7.5 | < 9.9.0-r2 | 9.9.0-r2 | Sep 4, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | |
| CVE-2025-5115 | Hig | 7.5 | < 9.9.0-r1 | 9.9.0-r1 | Aug 20, 2025 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th | |
| CVE-2025-48924 | Med | 5.3 | < 9.8.1-r2 | 9.8.1-r2 | Jul 11, 2025 | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr | |
| CVE-2025-25193 | Med | 5.5 | < 0 | 0 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | |
| CVE-2025-24814 | Med | 5.5 | < 0 | 0 | Jan 27, 2025 | Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization | |
| CVE-2024-52012 | Med | 5.4 | < 0 | 0 | Jan 27, 2025 | Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use r | |
| CVE-2024-47535 | Med | 5.5 | < 0 | 0 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | |
| CVE-2024-51504 | Cri | 9.1 | < 9.8.1-r1 | 9.8.1-r1 | Nov 7, 2024 | When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication | |
| CVE-2024-8184 | Med | 5.9 | < 9.7.0-r1 | 9.7.0-r1 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's | |
| CVE-2024-8373 | Med | 4.8 | < 9.8.1-r0 | 9.8.1-r0 | Sep 9, 2024 | Improper sanitization of the value of the [srcset] attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This iss | |
| CVE-2024-8372 | Med | 4.8 | < 9.8.1-r0 | 9.8.1-r0 | Sep 9, 2024 | Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versi | |
| CVE-2024-23944 | Med | 5.3 | < 9.5.0-r2 | 9.5.0-r2 | Mar 15, 2024 | Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d | |
| CVE-2024-22201 | Hig | 7.5 | < 9.5.0-r1 | 9.5.0-r1 | Feb 26, 2024 | Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing | |
| CVE-2024-21490 | Hig | 7.5 | < 9.8.1-r0 | 9.8.1-r0 | Feb 10, 2024 | This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can r | |
| CVE-2023-50386 | Hig | 8.8 | < 9.5.0-r0 | 9.5.0-r0 | Feb 9, 2024 | Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In t | |
| CVE-2023-50298 | Hig | 7.5 | < 9.5.0-r0 | 9.5.0-r0 | Feb 9, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. | |
| CVE-2023-51074 | Med | 5.3 | < 9.4.1-r1 | 9.4.1-r1 | Dec 27, 2023 | json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method. | |
| CVE-2023-26118 | Med | 5.3 | < 9.9.0-r3 | 9.9.0-r3 | Mar 30, 2023 | Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large ca | |
| CVE-2023-26117 | Med | 5.3 | < 9.9.0-r3 | 9.9.0-r3 | Mar 30, 2023 | Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result i |
- affected < 9.9.0-r3fixed 9.9.0-r3
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
- affected < 9.9.0-r2fixed 9.9.0-r2
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- affected < 9.9.0-r1fixed 9.9.0-r1
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
- affected < 9.8.1-r2fixed 9.8.1-r2
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
- affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- affected < 0fixed 0
Core creation allows users to replace "trusted" configset files with arbitrary configuration Solr instances that (1) use the "FileSystemConfigSetService" component (the default in "standalone" or "user-managed" mode), and (2) are running without authentication and authorization
- affected < 0fixed 0
Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API. Commonly known as a "zipslip", maliciously constructed ZIP files can use r
- affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- affected < 9.8.1-r1fixed 9.8.1-r1
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication
- affected < 9.7.0-r1fixed 9.7.0-r1
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
- affected < 9.8.1-r0fixed 9.8.1-r0
Improper sanitization of the value of the [srcset] attribute in HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This iss
- affected < 9.8.1-r0fixed 9.8.1-r0
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing . This issue affects AngularJS versi
- affected < 9.5.0-r2fixed 9.5.0-r2
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d
- affected < 9.5.0-r1fixed 9.5.0-r1
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing
- affected < 9.8.1-r0fixed 9.8.1-r0
This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can r
- affected < 9.5.0-r0fixed 9.5.0-r0
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In t
- affected < 9.5.0-r0fixed 9.5.0-r0
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
- affected < 9.4.1-r1fixed 9.4.1-r1
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
- affected < 9.9.0-r3fixed 9.9.0-r3
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large ca
- affected < 9.9.0-r3fixed 9.9.0-r3
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result i
Page 1 of 2