apk package

chainguard/spark-3.5

pkg:apk/chainguard/spark-3.5

Vulnerabilities (24)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-68161		—	< 3.5.7-r5	3.5.7-r5	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735		—	< 3.5.7-r4	3.5.7-r4	Dec 16, 2025	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-12383		—	< 3.5.7-r3	3.5.7-r3	Nov 18, 2025	In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but
CVE-2025-58457		—	< 3.5.7-r2	3.5.7-r2	Sep 24, 2025	Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
CVE-2025-58057		—	< 3.5.6-r7	3.5.6-r7	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056		—	< 3.5.6-r7	3.5.6-r7	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-48734		—	< 3.5.7-r2	3.5.7-r2	May 28, 2025	Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2025-25193		—	< 0	0	Feb 10, 2025	Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2024-29869		—	< 3.5.7-r2	3.5.7-r2	Jan 28, 2025	Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are
CVE-2024-23953		—	< 3.5.7-r2	3.5.7-r2	Jan 28, 2025	Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrad
CVE-2024-47535		—	< 0	0	Nov 12, 2024	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-8184		—	< 3.5.7-r2	3.5.7-r2	Oct 14, 2024	There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
CVE-2024-36114	Hig	8.6	< 3.5.1-r6	3.5.1-r6	May 29, 2024	Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor
CVE-2024-29025		—	< 3.5.1-r3	3.5.1-r3	Mar 25, 2024	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
CVE-2024-23944		—	< 3.5.1-r3	3.5.1-r3	Mar 15, 2024	Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d
CVE-2022-46337		—	< 3.5.5-r0	3.5.5-r0	Nov 20, 2023	A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut
CVE-2022-3510		—	< 3.5.7-r2	3.5.7-r2	Nov 11, 2022	A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
CVE-2022-3509		—	< 3.5.7-r2	3.5.7-r2	Nov 1, 2022	A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
CVE-2022-3171		—	< 3.5.7-r2	3.5.7-r2	Oct 12, 2022	A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
CVE-2022-36944		—	< 0	0	Sep 23, 2022	Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary file

CVE-2025-68161Dec 18, 2025
affected < 3.5.7-r5fixed 3.5.7-r5
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735Dec 16, 2025
affected < 3.5.7-r4fixed 3.5.7-r4
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-12383Nov 18, 2025
affected < 3.5.7-r3fixed 3.5.7-r3
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but
CVE-2025-58457Sep 24, 2025
affected < 3.5.7-r2fixed 3.5.7-r2
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
CVE-2025-58057Sep 3, 2025
affected < 3.5.6-r7fixed 3.5.6-r7
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056Sep 3, 2025
affected < 3.5.6-r7fixed 3.5.6-r7
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-48734May 28, 2025
affected < 3.5.7-r2fixed 3.5.7-r2
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2025-25193Feb 10, 2025
affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2024-29869Jan 28, 2025
affected < 3.5.7-r2fixed 3.5.7-r2
Hive creates a credentials file to a temporary directory in the file system with permissions 644 by default when the file permissions are not set explicitly. Any unauthorized user having access to the directory can read the sensitive information written into this file. Users are
CVE-2024-23953Jan 28, 2025
affected < 3.5.7-r2fixed 3.5.7-r2
Use of Arrays.equals() in LlapSignerImpl in Apache Hive to compare message signatures allows attacker to forge a valid signature for an arbitrary message byte by byte. The attacker should be an authorized user of the product to perform this attack. Users are recommended to upgrad
CVE-2024-47535Nov 12, 2024
affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-8184Oct 14, 2024
affected < 3.5.7-r2fixed 3.5.7-r2
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
CVE-2024-36114HigMay 29, 2024
affected < 3.5.1-r6fixed 3.5.1-r6
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor
CVE-2024-29025Mar 25, 2024
affected < 3.5.1-r3fixed 3.5.1-r3
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
CVE-2024-23944Mar 15, 2024
affected < 3.5.1-r3fixed 3.5.1-r3
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d
CVE-2022-46337Nov 20, 2023
affected < 3.5.5-r0fixed 3.5.5-r0
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut
CVE-2022-3510Nov 11, 2022
affected < 3.5.7-r2fixed 3.5.7-r2
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
CVE-2022-3509Nov 1, 2022
affected < 3.5.7-r2fixed 3.5.7-r2
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
CVE-2022-3171Oct 12, 2022
affected < 3.5.7-r2fixed 3.5.7-r2
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
CVE-2022-36944Sep 23, 2022
affected < 0fixed 0
Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary file

Page 1 of 2