VYPR

apk package

chainguard/spark-fips-3.5-scala-2.12

pkg:apk/chainguard/spark-fips-3.5-scala-2.12

Vulnerabilities (36)

  • CVE-2025-33042Feb 13, 2026
    affected < 3.5.4-r21fixed 3.5.4-r21

    Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrad

  • CVE-2025-68161Dec 18, 2025
    affected < 3.5.4-r19fixed 3.5.4-r19

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-67735Dec 16, 2025
    affected < 3.5.4-r19fixed 3.5.4-r19

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-66566HigDec 5, 2025
    affected < 3.5.4-r28fixed 3.5.4-r28

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

  • CVE-2025-12183HigNov 28, 2025
    affected < 3.5.4-r24fixed 3.5.4-r24

    Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

  • CVE-2025-12383Nov 18, 2025
    affected < 3.5.4-r17fixed 3.5.4-r17

    In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

  • CVE-2025-58457Sep 24, 2025
    affected < 3.5.4-r17fixed 3.5.4-r17

    Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.

  • CVE-2025-58057Sep 3, 2025
    affected < 3.5.4-r15fixed 3.5.4-r15

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 3.5.4-r14fixed 3.5.4-r14

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch

  • CVE-2025-55163Aug 13, 2025
    affected < 3.5.4-r13fixed 3.5.4-r13

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the

  • CVE-2025-48924Jul 11, 2025
    affected < 3.5.8-r0fixed 3.5.8-r0

    Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr

  • CVE-2024-6763Oct 14, 2024
    affected < 3.5.8-r0fixed 3.5.8-r0

    Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro

  • CVE-2022-46337Nov 20, 2023
    affected < 3.5.4-r17fixed 3.5.4-r17

    A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut

  • CVE-2022-36944Sep 23, 2022
    affected < 3.5.4-r17fixed 3.5.4-r17

    Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary file

  • CVE-2021-22570Jan 26, 2022
    affected < 3.5.4-r17fixed 3.5.4-r17

    Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend

  • CVE-2019-10172Nov 18, 2019
    affected < 0fixed 0

    A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Page 2 of 2