apk package
chainguard/strimzi-kafka-operator-fips-kafka-thirdparty-libs-cc
pkg:apk/chainguard/strimzi-kafka-operator-fips-kafka-thirdparty-libs-cc
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-2332 | Hig | 7.4 | < 1.0.0-r1 | 1.0.0-r1 | Apr 14, 2026 | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term | |
| CVE-2026-35554 | Hig | 8.7 | < 1.0.0-r0 | 1.0.0-r0 | Apr 7, 2026 | A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch | |
| CVE-2025-11143 | — | < 1.0.0-r1 | 1.0.0-r1 | Mar 5, 2026 | The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR | ||
| CVE-2025-66566 | Hig | — | < 1.0.0-r0 | 1.0.0-r0 | Dec 5, 2025 | yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the | |
| CVE-2024-6763 | — | < 1.0.0-r1 | 1.0.0-r1 | Oct 14, 2024 | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro |
- affected < 1.0.0-r1fixed 1.0.0-r1
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term
- affected < 1.0.0-r0fixed 1.0.0-r0
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
- CVE-2025-11143Mar 5, 2026affected < 1.0.0-r1fixed 1.0.0-r1
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR
- affected < 1.0.0-r0fixed 1.0.0-r0
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the
- CVE-2024-6763Oct 14, 2024affected < 1.0.0-r1fixed 1.0.0-r1
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro
Page 2 of 2