apk package
chainguard/trino-plugin-opensearch
pkg:apk/chainguard/trino-plugin-opensearch
Vulnerabilities (75)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-34158 | Hig | 7.5 | < 469-r2 | 469-r2 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 469-r2 | 469-r2 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 469-r2 | 469-r2 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-23444 | — | < 453-r1 | 453-r1 | Jul 31, 2024 | It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed | ||
| CVE-2024-35255 | — | < 452-r0 | 452-r0 | Jun 11, 2024 | Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability | ||
| CVE-2024-36114 | Hig | 8.6 | < 449-r0 | 449-r0 | May 29, 2024 | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor | |
| CVE-2024-32888 | Cri | 10.0 | < 472-r0 | 472-r0 | May 15, 2024 | The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the | |
| CVE-2024-23450 | — | < 444-r0 | 444-r0 | Mar 27, 2024 | A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. | ||
| CVE-2024-29131 | — | < 444-r1 | 444-r1 | Mar 21, 2024 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| CVE-2024-29133 | — | < 444-r1 | 444-r1 | Mar 21, 2024 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| CVE-2024-23944 | — | < 443-r0 | 443-r0 | Mar 15, 2024 | Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d | ||
| CVE-2024-1597 | — | < 439-r2 | 439-r2 | Feb 19, 2024 | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh | ||
| CVE-2024-25710 | — | < 439-r2 | 439-r2 | Feb 19, 2024 | Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue. | ||
| CVE-2024-26308 | — | < 439-r2 | 439-r2 | Feb 19, 2024 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue. | ||
| CVE-2023-50570 | — | < 472-r0 | 472-r0 | Dec 29, 2023 | An issue in the component IPAddressBitsDivision of IPAddress v5.1.0 leads to an infinite loop. This is disputed because an infinite loop occurs only for cases in which the developer supplies invalid arguments. The product is not intended to always halt for contrived inputs. | ||
| CVE-2023-51074 | — | < 437-r0 | 437-r0 | Dec 27, 2023 | json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method. | ||
| CVE-2023-34062 | — | < 433-r1 | 433-r1 | Nov 15, 2023 | In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Serv | ||
| CVE-2023-31418 | — | < 0 | 0 | Oct 26, 2023 | An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elasti | ||
| CVE-2023-46120 | — | < 478-r2 | 478-r2 | Oct 24, 2023 | The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U | ||
| CVE-2023-44981 | — | < 478-r2 | 478-r2 | Oct 11, 2023 | Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.c |
- affected < 469-r2fixed 469-r2
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 469-r2fixed 469-r2
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 469-r2fixed 469-r2
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-23444Jul 31, 2024affected < 453-r1fixed 453-r1
It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed
- CVE-2024-35255Jun 11, 2024affected < 452-r0fixed 452-r0
Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
- affected < 449-r0fixed 449-r0
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor
- affected < 472-r0fixed 472-r0
The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the
- CVE-2024-23450Mar 27, 2024affected < 444-r0fixed 444-r0
A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
- CVE-2024-29131Mar 21, 2024affected < 444-r1fixed 444-r1
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
- CVE-2024-29133Mar 21, 2024affected < 444-r1fixed 444-r1
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
- CVE-2024-23944Mar 15, 2024affected < 443-r0fixed 443-r0
Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't d
- CVE-2024-1597Feb 19, 2024affected < 439-r2fixed 439-r2
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeh
- CVE-2024-25710Feb 19, 2024affected < 439-r2fixed 439-r2
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
- CVE-2024-26308Feb 19, 2024affected < 439-r2fixed 439-r2
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
- CVE-2023-50570Dec 29, 2023affected < 472-r0fixed 472-r0
An issue in the component IPAddressBitsDivision of IPAddress v5.1.0 leads to an infinite loop. This is disputed because an infinite loop occurs only for cases in which the developer supplies invalid arguments. The product is not intended to always halt for contrived inputs.
- CVE-2023-51074Dec 27, 2023affected < 437-r0fixed 437-r0
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
- CVE-2023-34062Nov 15, 2023affected < 433-r1fixed 433-r1
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Serv
- CVE-2023-31418Oct 26, 2023affected < 0fixed 0
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elasti
- CVE-2023-46120Oct 24, 2023affected < 478-r2fixed 478-r2
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U
- CVE-2023-44981Oct 11, 2023affected < 478-r2fixed 478-r2
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.c
Page 3 of 4