apk package

wolfi/apache-nifi

pkg:apk/wolfi/apache-nifi

Vulnerabilities (82)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42587	Hig	7.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585	Med	6.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584	Hig	7.3	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583	Hig	7.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581	Med	5.8	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580	Med	6.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42579	Hig	7.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon
CVE-2026-42578	Hig	7.5	< 2.9.0-r6	2.9.0-r6	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-41417	Med	5.3	< 2.9.0-r6	2.9.0-r6	May 6, 2026	Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-42779	Cri	9.8	< 2.9.0-r5	2.9.0-r5	May 1, 2026	The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all
CVE-2026-42778	Cri	9.8	< 2.9.0-r5	2.9.0-r5	May 1, 2026	The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie
CVE-2026-41409	Cri	9.8	< 2.9.0-r4	2.9.0-r4	Apr 27, 2026	The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A
CVE-2026-40542	Hig	7.3	< 2.9.0-r7	2.9.0-r7	Apr 22, 2026	Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
CVE-2026-22754	Hig	7.5	< 2.9.0-r3	2.9.0-r3	Apr 22, 2026	Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exer
CVE-2026-22753	Hig	7.5	< 2.9.0-r3	2.9.0-r3	Apr 22, 2026	Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intend
CVE-2026-22748	Med	5.3	< 2.9.0-r3	2.9.0-r3	Apr 22, 2026	Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.
CVE-2026-22747	Med	6.8	< 2.9.0-r3	2.9.0-r3	Apr 22, 2026	Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonati
CVE-2026-22746	Low	3.7	< 2.9.0-r3	2.9.0-r3	Apr 22, 2026	Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are
CVE-2026-22751	Med	4.8	< 2.9.0-r3	2.9.0-r3	Apr 21, 2026	Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu
CVE-2026-33557	Cri	9.1	< 2.8.0-r7	2.8.0-r7	Apr 20, 2026	A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,

CVE-2026-42587HigMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585MedMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584HigMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583HigMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581MedMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580MedMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42579HigMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon
CVE-2026-42578HigMay 13, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-41417MedMay 6, 2026
affected < 2.9.0-r6fixed 2.9.0-r6
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-42779CriMay 1, 2026
affected < 2.9.0-r5fixed 2.9.0-r5
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all
CVE-2026-42778CriMay 1, 2026
affected < 2.9.0-r5fixed 2.9.0-r5
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applie
CVE-2026-41409CriApr 27, 2026
affected < 2.9.0-r4fixed 2.9.0-r4
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are A
CVE-2026-40542HigApr 22, 2026
affected < 2.9.0-r7fixed 2.9.0-r7
Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue.
CVE-2026-22754HigApr 22, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exer
CVE-2026-22753HigApr 22, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intend
CVE-2026-22748MedApr 22, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.
CVE-2026-22747MedApr 22, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonati
CVE-2026-22746LowApr 22, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are
CVE-2026-22751MedApr 21, 2026
affected < 2.9.0-r3fixed 2.9.0-r3
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 throu
CVE-2026-33557CriApr 20, 2026
affected < 2.8.0-r7fixed 2.8.0-r7
A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating its signature,

Page 1 of 5