apk package

chainguard/spark-fips-3.5-scala-2.13

pkg:apk/chainguard/spark-fips-3.5-scala-2.13

Vulnerabilities (30)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42587	Hig	7.5	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585	Med	6.5	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584	Hig	7.3	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583	Hig	7.5	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581	Med	5.8	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580	Med	6.5	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42578	Hig	7.5	< 3.5.8-r1	3.5.8-r1	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-42577	Hig	7.5	< 3.5.8-r0	3.5.8-r0	May 13, 2026	Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
CVE-2026-41417	Med	5.3	< 3.5.8-r1	3.5.8-r1	May 6, 2026	Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-33871		—	< 3.5.8-r0	3.5.8-r0	Mar 27, 2026	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
CVE-2026-33870		—	< 3.5.8-r0	3.5.8-r0	Mar 27, 2026	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
CVE-2025-54920		—	< 3.5.8-r0	3.5.8-r0	Mar 14, 2026	This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to ov
CVE-2026-24308		—	< 3.5.4-r25	3.5.4-r25	Mar 7, 2026	Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p
CVE-2025-11143		—	< 3.5.8-r0	3.5.8-r0	Mar 5, 2026	The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR
CVE-2025-33042		—	< 3.5.4-r21	3.5.4-r21	Feb 13, 2026	Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrad
CVE-2025-68161		—	< 3.5.4-r19	3.5.4-r19	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735		—	< 3.5.4-r18	3.5.4-r18	Dec 16, 2025	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-66566	Hig	—	< 3.5.4-r28	3.5.4-r28	Dec 5, 2025	yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the
CVE-2025-12183	Hig	—	< 3.5.4-r24	3.5.4-r24	Nov 28, 2025	Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
CVE-2025-12383		—	< 3.5.4-r17	3.5.4-r17	Nov 18, 2025	In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

CVE-2026-42587HigMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585MedMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584HigMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583HigMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581MedMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580MedMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42578HigMay 13, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-42577HigMay 13, 2026
affected < 3.5.8-r0fixed 3.5.8-r0
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
CVE-2026-41417MedMay 6, 2026
affected < 3.5.8-r1fixed 3.5.8-r1
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-33871Mar 27, 2026
affected < 3.5.8-r0fixed 3.5.8-r0
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
CVE-2026-33870Mar 27, 2026
affected < 3.5.8-r0fixed 3.5.8-r0
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
CVE-2025-54920Mar 14, 2026
affected < 3.5.8-r0fixed 3.5.8-r0
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to ov
CVE-2026-24308Mar 7, 2026
affected < 3.5.4-r25fixed 3.5.4-r25
Improper handling of configuration values in ZKConfig in Apache ZooKeeper 3.8.5 and 3.9.4 on all platforms allows an attacker to expose sensitive information stored in client configuration in the client's logfile. Configuration values are exposed at INFO level logging rendering p
CVE-2025-11143Mar 5, 2026
affected < 3.5.8-r0fixed 3.5.8-r0
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR
CVE-2025-33042Feb 13, 2026
affected < 3.5.4-r21fixed 3.5.4-r21
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrad
CVE-2025-68161Dec 18, 2025
affected < 3.5.4-r19fixed 3.5.4-r19
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735Dec 16, 2025
affected < 3.5.4-r18fixed 3.5.4-r18
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-66566HigDec 5, 2025
affected < 3.5.4-r28fixed 3.5.4-r28
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the
CVE-2025-12183HigNov 28, 2025
affected < 3.5.4-r24fixed 3.5.4-r24
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
CVE-2025-12383Nov 18, 2025
affected < 3.5.4-r17fixed 3.5.4-r17
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but

Page 1 of 2