apk package
wolfi/apicurio-registry
pkg:apk/wolfi/apicurio-registry
Vulnerabilities (52)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42581 | Med | 5.8 | < 3.2.1-r3 | 3.2.1-r3 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T | |
| CVE-2026-42580 | Med | 6.5 | < 3.2.1-r3 | 3.2.1-r3 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final. | |
| CVE-2026-42579 | Hig | 7.5 | < 3.2.1-r5 | 3.2.1-r5 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon | |
| CVE-2026-42578 | Hig | 7.5 | < 3.2.4-r2 | 3.2.4-r2 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea | |
| CVE-2026-41417 | Med | 5.3 | < 3.2.1-r3 | 3.2.1-r3 | May 6, 2026 | Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no | |
| CVE-2026-6860 | Med | 5.3 | < 3.2.4-r1 | 3.2.4-r1 | May 6, 2026 | A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used. | |
| CVE-2026-39852 | Hig | 8.2 | < 3.2.4-r1 | 3.2.4-r1 | May 5, 2026 | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged user | |
| CVE-2026-42198 | Hig | 7.5 | < 3.2.1-r4 | 3.2.1-r4 | Apr 29, 2026 | pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg | |
| CVE-2026-33871 | — | < 3.2.0-r3 | 3.2.0-r3 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o | ||
| CVE-2026-33870 | — | < 3.2.0-r2 | 3.2.0-r2 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an | ||
| CVE-2026-1002 | — | < 3.1.6-r1 | 3.1.6-r1 | Jan 15, 2026 | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co | ||
| CVE-2025-67735 | — | < 3.1.4-r3 | 3.1.4-r3 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2025-59250 | — | < 3.1.4-r2 | 3.1.4-r2 | Oct 14, 2025 | Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-58057 | — | < 3.0.13-r1 | 3.0.13-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-58056 | — | < 3.0.14-r1 | 3.0.14-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch | ||
| CVE-2025-55163 | — | < 3.0.12-r1 | 3.0.12-r1 | Aug 13, 2025 | Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the | ||
| CVE-2025-7962 | — | < 3.0.11-r1 | 3.0.11-r1 | Jul 21, 2025 | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | ||
| CVE-2025-48924 | — | < 3.0.9-r5 | 3.0.9-r5 | Jul 11, 2025 | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr | ||
| CVE-2025-53864 | Med | 5.8 | < 3.0.9-r6 | 3.0.9-r6 | Jul 11, 2025 | Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca | |
| CVE-2025-49146 | — | < 3.0.9-r2 | 3.0.9-r2 | Jun 11, 2025 | pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that |
- affected < 3.2.1-r3fixed 3.2.1-r3
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
- affected < 3.2.1-r3fixed 3.2.1-r3
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
- affected < 3.2.1-r5fixed 3.2.1-r5
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon
- affected < 3.2.4-r2fixed 3.2.4-r2
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
- affected < 3.2.1-r3fixed 3.2.1-r3
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
- affected < 3.2.4-r1fixed 3.2.4-r1
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accepting *.example.com, any XYZ.example.com where xyz is a valid name can be used.
- affected < 3.2.4-r1fixed 3.2.4-r1
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged user
- affected < 3.2.1-r4fixed 3.2.1-r4
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg
- CVE-2026-33871Mar 27, 2026affected < 3.2.0-r3fixed 3.2.0-r3
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
- CVE-2026-33870Mar 27, 2026affected < 3.2.0-r2fixed 3.2.0-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
- CVE-2026-1002Jan 15, 2026affected < 3.1.6-r1fixed 3.1.6-r1
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co
- CVE-2025-67735Dec 16, 2025affected < 3.1.4-r3fixed 3.1.4-r3
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- CVE-2025-59250Oct 14, 2025affected < 3.1.4-r2fixed 3.1.4-r2
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
- CVE-2025-58057Sep 3, 2025affected < 3.0.13-r1fixed 3.0.13-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-58056Sep 3, 2025affected < 3.0.14-r1fixed 3.0.14-r1
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
- CVE-2025-55163Aug 13, 2025affected < 3.0.12-r1fixed 3.0.12-r1
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
- CVE-2025-7962Jul 21, 2025affected < 3.0.11-r1fixed 3.0.11-r1
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
- CVE-2025-48924Jul 11, 2025affected < 3.0.9-r5fixed 3.0.9-r5
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
- affected < 3.0.9-r6fixed 3.0.9-r6
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca
- CVE-2025-49146Jun 11, 2025affected < 3.0.9-r2fixed 3.0.9-r2
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that
Page 2 of 3