apk package
chainguard/wso2is-doc
pkg:apk/chainguard/wso2is-doc
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12383 | — | < 7.2.0-r0 | 7.2.0-r0 | Nov 18, 2025 | In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but | ||
| CVE-2025-1396 | — | < 7.2.0-r0 | 7.2.0-r0 | Sep 26, 2025 | A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allo | ||
| CVE-2025-58457 | — | < 7.2.0-r0 | 7.2.0-r0 | Sep 24, 2025 | Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue. | ||
| CVE-2025-59340 | — | < 7.2.0-r0 | 7.2.0-r0 | Sep 17, 2025 | jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input | ||
| CVE-2025-49128 | Med | 4.0 | < 7.1.0-r2 | 7.1.0-r2 | Jun 6, 2025 | Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unint | |
| CVE-2025-48734 | — | < 7.2.0-r0 | 7.2.0-r0 | May 28, 2025 | Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no | ||
| CVE-2025-23184 | — | < 7.1.0-r1 | 7.1.0-r1 | Jan 21, 2025 | A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and client | ||
| CVE-2024-51504 | — | < 7.2.0-r0 | 7.2.0-r0 | Nov 7, 2024 | When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication |
- CVE-2025-12383Nov 18, 2025affected < 7.2.0-r0fixed 7.2.0-r0
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but
- CVE-2025-1396Sep 26, 2025affected < 7.2.0-r0fixed 7.2.0-r0
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allo
- CVE-2025-58457Sep 24, 2025affected < 7.2.0-r0fixed 7.2.0-r0
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
- CVE-2025-59340Sep 17, 2025affected < 7.2.0-r0fixed 7.2.0-r0
jinjava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Priori to 2.8.1, by using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input
- affected < 7.1.0-r2fixed 7.1.0-r2
Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unint
- CVE-2025-48734May 28, 2025affected < 7.2.0-r0fixed 7.2.0-r0
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
- CVE-2025-23184Jan 21, 2025affected < 7.1.0-r1fixed 7.1.0-r1
A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and client
- CVE-2024-51504Nov 7, 2024affected < 7.2.0-r0fixed 7.2.0-r0
When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication