VYPR

apk package

chainguard/wildfly-openjdk-17

pkg:apk/chainguard/wildfly-openjdk-17

Vulnerabilities (51)

  • CVE-2026-50020MedJun 12, 2026
    affected < 40.0.0-r6fixed 40.0.0-r6

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0

  • CVE-2026-48043MedJun 12, 2026
    affected < 40.0.0-r4fixed 40.0.0-r4

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedCh

  • CVE-2026-47691HigJun 12, 2026
    affected < 40.0.0-r3fixed 40.0.0-r3

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an a

  • CVE-2026-47244MedJun 12, 2026
    affected < 40.0.0-r4fixed 40.0.0-r4

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTING

  • CVE-2026-45674HigJun 12, 2026
    affected < 40.0.0-r3fixed 40.0.0-r3

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Fina

  • CVE-2026-45673MedJun 12, 2026
    affected < 40.0.0-r3fixed 40.0.0-r3

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination r

  • CVE-2026-45536MedJun 12, 2026
    affected < 40.0.0-r5fixed 40.0.0-r5

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_

  • CVE-2026-45416HigJun 12, 2026
    affected < 40.0.0-r1fixed 40.0.0-r1

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly all

  • CVE-2026-44249HigJun 11, 2026
    affected < 40.0.0-r1fixed 40.0.0-r1

    Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub

  • CVE-2026-42587HigMay 13, 2026
    affected < 39.0.1-r9fixed 39.0.1-r9

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for

  • CVE-2026-42583HigMay 13, 2026
    affected < 39.0.1-r10fixed 39.0.1-r10

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload

  • CVE-2026-42579HigMay 13, 2026
    affected < 39.0.1-r8fixed 39.0.1-r8

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon

  • CVE-2026-42578HigMay 13, 2026
    affected < 39.0.1-r11fixed 39.0.1-r11

    Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea

  • CVE-2026-42577HigMay 13, 2026
    affected < 39.0.1-r9fixed 39.0.1-r9

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-41417MedMay 6, 2026
    affected < 39.0.1-r6fixed 39.0.1-r6

    Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no

  • CVE-2026-6860MedMay 6, 2026
    affected < 40.0.0-r0fixed 40.0.0-r0

    A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.

  • CVE-2026-42404MedMay 1, 2026
    affected < 39.0.1-r7fixed 39.0.1-r7

    Apache Neethi does not impose any restrictions on URIs when manually fetching remote policy references through the PolicyReference API. When an application explicitly calls the API to retrieve a policy from a remote URI, an outbound request is made for arbitrary protocols and int

  • CVE-2026-42403HigMay 1, 2026
    affected < 39.0.1-r7fixed 39.0.1-r7

    Apache Neethi does not properly detect circular references in policy definitions. When a WS-Policy document contains circular policy references (where Policy A references Policy B which references Policy A), the policy normalization process can enter an infinite loop or cause exc

  • CVE-2026-42402HigMay 1, 2026
    affected < 39.0.1-r7fixed 39.0.1-r7

    Apache Neethi is vulnerable to a Denial of Service attack through algorithmic complexity in policy normalization. Specially crafted WS-Policy documents can trigger an exponential Cartesian cross-product expansion during the normalization process, causing unbounded memory allocati

  • CVE-2026-33558MedApr 20, 2026
    affected < 40.0.0-r0fixed 40.0.0-r0

    Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit

Page 1 of 3