apk package
wolfi/apache-nifi-toolkit
pkg:apk/wolfi/apache-nifi-toolkit
Vulnerabilities (51)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-30172 | Hig | 7.5 | < 2.6.0-r2 | 2.6.0-r2 | May 14, 2024 | An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key. | |
| CVE-2023-51775 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 25, 2023 | The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value. | ||
| CVE-2023-46120 | — | < 2.6.0-r2 | 2.6.0-r2 | Oct 24, 2023 | The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U | ||
| CVE-2023-34462 | — | < 2.6.0-r2 | 2.6.0-r2 | Jun 22, 2023 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does | ||
| CVE-2022-41915 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 13, 2022 | Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values | ||
| CVE-2022-41881 | — | < 2.6.0-r2 | 2.6.0-r2 | Dec 12, 2022 | Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor | ||
| CVE-2022-3510 | — | < 2.6.0-r2 | 2.6.0-r2 | Nov 11, 2022 | A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat | ||
| CVE-2022-3509 | — | < 2.6.0-r2 | 2.6.0-r2 | Nov 1, 2022 | A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown | ||
| CVE-2022-3171 | — | < 2.6.0-r2 | 2.6.0-r2 | Oct 12, 2022 | A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be | ||
| CVE-2021-38153 | — | < 2.6.0-r2 | 2.6.0-r2 | Sep 22, 2021 | Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera | ||
| CVE-2016-1000027 | — | < 0 | 0 | Jan 2, 2020 | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO |
- affected < 2.6.0-r2fixed 2.6.0-r2
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
- CVE-2023-51775Dec 25, 2023affected < 2.6.0-r2fixed 2.6.0-r2
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
- CVE-2023-46120Oct 24, 2023affected < 2.6.0-r2fixed 2.6.0-r2
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U
- CVE-2023-34462Jun 22, 2023affected < 2.6.0-r2fixed 2.6.0-r2
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does
- CVE-2022-41915Dec 13, 2022affected < 2.6.0-r2fixed 2.6.0-r2
Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of values, header value validation was not performed, allowing malicious header values
- CVE-2022-41881Dec 12, 2022affected < 2.6.0-r2fixed 2.6.0-r2
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no wor
- CVE-2022-3510Nov 11, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
- CVE-2022-3509Nov 1, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
- CVE-2022-3171Oct 12, 2022affected < 2.6.0-r2fixed 2.6.0-r2
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
- CVE-2021-38153Sep 22, 2021affected < 2.6.0-r2fixed 2.6.0-r2
Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnera
- CVE-2016-1000027Jan 2, 2020affected < 0fixed 0
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NO
Page 3 of 3