apk package
wolfi/cassandra-reaper
pkg:apk/wolfi/cassandra-reaper
Vulnerabilities (38)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8184 | — | < 4.0.1-r1 | 4.0.1-r1 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's | ||
| CVE-2024-9823 | — | < 4.0.1-r1 | 4.0.1-r1 | Oct 14, 2024 | There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the s | ||
| CVE-2024-29131 | — | < 3.6.0-r0 | 3.6.0-r0 | Mar 21, 2024 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| CVE-2024-29133 | — | < 3.6.0-r0 | 3.6.0-r0 | Mar 21, 2024 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | ||
| CVE-2023-46120 | — | < 4.0.1-r1 | 4.0.1-r1 | Oct 24, 2023 | The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U | ||
| CVE-2023-40167 | — | < 4.0.1-r1 | 4.0.1-r1 | Sep 15, 2023 | Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely | ||
| CVE-2023-36479 | — | < 4.0.1-r1 | 4.0.1-r1 | Sep 15, 2023 | Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac | ||
| CVE-2023-2976 | — | < 4.0.1-r1 | 4.0.1-r1 | Jun 14, 2023 | Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to | ||
| CVE-2023-26049 | — | < 4.0.1-r1 | 4.0.1-r1 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start | ||
| CVE-2023-26048 | — | < 4.0.1-r1 | 4.0.1-r1 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a | ||
| CVE-2021-46877 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 18, 2023 | jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | ||
| CVE-2022-1471 | — | < 4.0.1-r1 | 4.0.1-r1 | Dec 1, 2022 | SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric | ||
| CVE-2022-42004 | — | < 4.0.1-r1 | 4.0.1-r1 | Oct 2, 2022 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||
| CVE-2022-42003 | — | < 4.0.1-r1 | 4.0.1-r1 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2020-36518 | — | < 4.0.1-r1 | 4.0.1-r1 | Mar 11, 2022 | jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | ||
| CVE-2021-28168 | — | < 4.0.1-r1 | 4.0.1-r1 | Apr 22, 2021 | Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents | ||
| CVE-2020-8908 | — | < 4.0.1-r1 | 4.0.1-r1 | Dec 10, 2020 | A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the | ||
| CVE-2015-0886 | — | < 4.0.1-r1 | 4.0.1-r1 | Feb 28, 2015 | Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. |
- CVE-2024-8184Oct 14, 2024affected < 4.0.1-r1fixed 4.0.1-r1
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
- CVE-2024-9823Oct 14, 2024affected < 4.0.1-r1fixed 4.0.1-r1
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the s
- CVE-2024-29131Mar 21, 2024affected < 3.6.0-r0fixed 3.6.0-r0
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
- CVE-2024-29133Mar 21, 2024affected < 3.6.0-r0fixed 3.6.0-r0
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
- CVE-2023-46120Oct 24, 2023affected < 4.0.1-r1fixed 4.0.1-r1
The RabbitMQ Java client library allows Java and JVM-based applications to connect to and interact with RabbitMQ nodes. `maxBodyLebgth` was not used when receiving Message objects. Attackers could send a very large Message causing a memory overflow and triggering an OOM Error. U
- CVE-2023-40167Sep 15, 2023affected < 4.0.1-r1fixed 4.0.1-r1
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely
- CVE-2023-36479Sep 15, 2023affected < 4.0.1-r1fixed 4.0.1-r1
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac
- CVE-2023-2976Jun 14, 2023affected < 4.0.1-r1fixed 4.0.1-r1
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to
- CVE-2023-26049Apr 18, 2023affected < 4.0.1-r1fixed 4.0.1-r1
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start
- CVE-2023-26048Apr 18, 2023affected < 4.0.1-r1fixed 4.0.1-r1
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a
- CVE-2021-46877Mar 18, 2023affected < 4.0.1-r1fixed 4.0.1-r1
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
- CVE-2022-1471Dec 1, 2022affected < 4.0.1-r1fixed 4.0.1-r1
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric
- CVE-2022-42004Oct 2, 2022affected < 4.0.1-r1fixed 4.0.1-r1
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- CVE-2022-42003Oct 2, 2022affected < 4.0.1-r1fixed 4.0.1-r1
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2020-36518Mar 11, 2022affected < 4.0.1-r1fixed 4.0.1-r1
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
- CVE-2021-28168Apr 22, 2021affected < 4.0.1-r1fixed 4.0.1-r1
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents
- CVE-2020-8908Dec 10, 2020affected < 4.0.1-r1fixed 4.0.1-r1
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the
- CVE-2015-0886Feb 28, 2015affected < 4.0.1-r1fixed 4.0.1-r1
Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
Page 2 of 2