apk package
chainguard/zookeeper-fips-3.8
pkg:apk/chainguard/zookeeper-fips-3.8
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-54514 | med | — | < 3.8.6-r8 | 3.8.6-r8 | Jun 23, 2026 | ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd | |
| CVE-2026-54513 | hig | — | < 3.8.6-r8 | 3.8.6-r8 | Jun 23, 2026 | ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli | |
| CVE-2026-54512 | hig | — | < 3.8.6-r8 | 3.8.6-r8 | Jun 23, 2026 | `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal | |
| CVE-2026-45536 | Med | 4.0 | < 3.8.6-r5 | 3.8.6-r5 | Jun 12, 2026 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_ | |
| CVE-2026-45416 | Hig | 7.5 | < 3.8.6-r5 | 3.8.6-r5 | Jun 12, 2026 | Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly all | |
| CVE-2026-44249 | Hig | 8.1 | < 3.8.6-r5 | 3.8.6-r5 | Jun 11, 2026 | Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub | |
| CVE-2026-42583 | Hig | 7.5 | < 3.8.6-r3 | 3.8.6-r3 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload | |
| CVE-2026-42577 | Hig | 7.5 | < 3.8.6-r2 | 3.8.6-r2 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some | |
| CVE-2025-11143 | — | < 3.8.6-r2 | 3.8.6-r2 | Mar 5, 2026 | The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR | ||
| CVE-2026-1225 | Low | — | < 3.8.5-r1 | 3.8.5-r1 | Jan 22, 2026 | ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti | |
| CVE-2025-11226 | Med | — | < 3.8.5.0-r2 | 3.8.5.0-r2 | Oct 1, 2025 | ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia | |
| CVE-2025-58057 | — | < 3.8.5.0-r1 | 3.8.5.0-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-25193 | — | < 3.8.5-r1 | 3.8.5-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | ||
| CVE-2025-24970 | — | < 3.8.5-r1 | 3.8.5-r1 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas | ||
| CVE-2024-12801 | Low | — | < 3.8.4-r1 | 3.8.4-r1 | Dec 19, 2024 | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE | |
| CVE-2024-12798 | Med | — | < 3.8.4-r1 | 3.8.4-r1 | Dec 19, 2024 | ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en | |
| CVE-2024-47535 | — | < 3.8.5-r1 | 3.8.5-r1 | Nov 12, 2024 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application | ||
| CVE-2024-6763 | — | < 3.8.6-r2 | 3.8.6-r2 | Oct 14, 2024 | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro | ||
| CVE-2024-47554 | — | < 3.8.5-r1 | 3.8.5-r1 | Oct 3, 2024 | Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are |
- affected < 3.8.6-r8fixed 3.8.6-r8
## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd
- affected < 3.8.6-r8fixed 3.8.6-r8
## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli
- affected < 3.8.6-r8fixed 3.8.6-r8
`jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal
- affected < 3.8.6-r5fixed 3.8.6-r5
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_
- affected < 3.8.6-r5fixed 3.8.6-r5
Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SslClientHelloHandler.decode() reads the 24-bit TLS handshake length and, when the ClientHello does not fit in the first record, eagerly all
- affected < 3.8.6-r5fixed 3.8.6-r5
Netty is a network application framework for development of protocol servers and clients. In netty-handler prior to versions 4.1.135.Final and 4.2.15.Final, an attacker can bypass IPv6 subnet rules due to an incorrect masking operation in IpSubnetFilterRule.compareTo(). Valid pub
- affected < 3.8.6-r3fixed 3.8.6-r3
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
- affected < 3.8.6-r2fixed 3.8.6-r2
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
- CVE-2025-11143Mar 5, 2026affected < 3.8.6-r2fixed 3.8.6-r2
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR
- affected < 3.8.5-r1fixed 3.8.5-r1
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti
- affected < 3.8.5.0-r2fixed 3.8.5.0-r2
ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia
- CVE-2025-58057Sep 3, 2025affected < 3.8.5.0-r1fixed 3.8.5.0-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-25193Feb 10, 2025affected < 3.8.5-r1fixed 3.8.5-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- CVE-2025-24970Feb 10, 2025affected < 3.8.5-r1fixed 3.8.5-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
- affected < 3.8.4-r1fixed 3.8.4-r1
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE
- affected < 3.8.4-r1fixed 3.8.4-r1
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en
- CVE-2024-47535Nov 12, 2024affected < 3.8.5-r1fixed 3.8.5-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
- CVE-2024-6763Oct 14, 2024affected < 3.8.6-r2fixed 3.8.6-r2
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro
- CVE-2024-47554Oct 3, 2024affected < 3.8.5-r1fixed 3.8.5-r1
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are