VYPR

apk package

wolfi/apache-nifi-compat

pkg:apk/wolfi/apache-nifi-compat

Vulnerabilities (50)

  • CVE-2024-52046Dec 25, 2024
    affected < 2.1.0-r1fixed 2.1.0-r1

    The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially craf

  • CVE-2024-12801LowDec 19, 2024
    affected < 2.1.0-r0fixed 2.1.0-r0

    Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE

  • CVE-2024-12798MedDec 19, 2024
    affected < 2.1.0-r0fixed 2.1.0-r0

    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en

  • CVE-2024-38829LowDec 4, 2024
    affected < 2.3.0-r0fixed 2.3.0-r0

    A vulnerability in Spring LDAP allows data exposure for case sensitive comparisons.This issue affects Spring LDAP: from 2.4.0 through 2.4.3, from 3.0.0 through 3.0.9, from 3.1.0 through 3.1.7, from 3.2.0 through 3.2.7, AND all versions prior to 2.4.0. The usage of String.toLower

  • CVE-2024-31141Nov 19, 2024
    affected < 2.0.0-r4fixed 2.0.0-r4

    Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa

  • CVE-2024-47535Nov 12, 2024
    affected < 0fixed 0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application

  • CVE-2024-38821CriOct 28, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's

  • CVE-2024-38820Oct 18, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

  • CVE-2024-8184Oct 14, 2024
    affected < 2.3.0-r0fixed 2.3.0-r0

    There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's

  • CVE-2024-6763Oct 14, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro

  • CVE-2024-47554Oct 3, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are

  • CVE-2024-47561Oct 3, 2024
    affected < 2.3.0-r0fixed 2.3.0-r0

    Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

  • CVE-2024-23454Sep 25, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared bet

  • CVE-2024-7254Sep 19, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf

  • CVE-2024-38808Aug 20, 2024
    affected < 1.27.0-r1fixed 1.27.0-r1

    In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when t

  • CVE-2024-25638HigJul 22, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

  • CVE-2024-37389Jul 8, 2024
    affected < 1.27.0-r0fixed 1.27.0-r0

    Apache NiFi 1.10.0 through 1.26.0 and 2.0.0-M1 through 2.0.0-M3 support a description field in the Parameter Context configuration that is vulnerable to cross-site scripting. An authenticated user, authorized to configure a Parameter Context, can enter arbitrary JavaScript code,

  • CVE-2024-36124Jun 3, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this

  • CVE-2024-36114HigMay 29, 2024
    affected < 2.0.0-r0fixed 2.0.0-r0

    Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor

  • CVE-2024-30172HigMay 14, 2024
    affected < 2.6.0-r2fixed 2.6.0-r2

    An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.