apk package

wolfi/celeborn-0.6

pkg:apk/wolfi/celeborn-0.6

Vulnerabilities (39)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2024-47554		—	< 0.6.3-r7	0.6.3-r7	Oct 3, 2024	Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
CVE-2024-47561		—	< 0.6.3-r7	0.6.3-r7	Oct 3, 2024	Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
CVE-2024-23454		—	< 0.6.3-r7	0.6.3-r7	Sep 25, 2024	Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared bet
CVE-2024-7254		—	< 0.6.3-r7	0.6.3-r7	Sep 19, 2024	Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
CVE-2024-25638	Hig	8.9	< 0.6.3-r7	0.6.3-r7	Jul 22, 2024	dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
CVE-2024-29131		—	< 0.6.3-r7	0.6.3-r7	Mar 21, 2024	Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE-2024-29133		—	< 0.6.3-r7	0.6.3-r7	Mar 21, 2024	Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE-2024-25710		—	< 0.6.3-r7	0.6.3-r7	Feb 19, 2024	Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE-2024-26308		—	< 0.6.3-r7	0.6.3-r7	Feb 19, 2024	Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
CVE-2023-52428		—	< 0.6.3-r7	0.6.3-r7	Feb 11, 2024	In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
CVE-2023-39410		—	< 0.6.3-r7	0.6.3-r7	Sep 29, 2023	When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should up
CVE-2023-2976		—	< 0.6.3-r7	0.6.3-r7	Jun 14, 2023	Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to
CVE-2023-1370		—	< 0.6.3-r7	0.6.3-r7	Mar 13, 2023	[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o
CVE-2022-3510		—	< 0.6.3-r7	0.6.3-r7	Nov 11, 2022	A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
CVE-2022-3509		—	< 0.6.3-r7	0.6.3-r7	Nov 1, 2022	A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
CVE-2022-3171		—	< 0.6.3-r7	0.6.3-r7	Oct 12, 2022	A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
CVE-2021-22569		—	< 0.6.3-r7	0.6.3-r7	Jan 7, 2022	An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause fre
CVE-2021-31684		—	< 0.6.3-r7	0.6.3-r7	Jun 1, 2021	A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
CVE-2020-8908		—	< 0.6.3-r7	0.6.3-r7	Dec 10, 2020	A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the

CVE-2024-47554Oct 3, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are
CVE-2024-47561Oct 3, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
CVE-2024-23454Sep 25, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Apache Hadoop’s RunJar.run() does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared bet
CVE-2024-7254Sep 19, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
CVE-2024-25638HigJul 22, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
CVE-2024-29131Mar 21, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE-2024-29133Mar 21, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
CVE-2024-25710Feb 19, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE-2024-26308Feb 19, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
CVE-2023-52428Feb 11, 2024
affected < 0.6.3-r7fixed 0.6.3-r7
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
CVE-2023-39410Sep 29, 2023
affected < 0.6.3-r7fixed 0.6.3-r7
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should up
CVE-2023-2976Jun 14, 2023
affected < 0.6.3-r7fixed 0.6.3-r7
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to
CVE-2023-1370Mar 13, 2023
affected < 0.6.3-r7fixed 0.6.3-r7
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o
CVE-2022-3510Nov 11, 2022
affected < 0.6.3-r7fixed 0.6.3-r7
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
CVE-2022-3509Nov 1, 2022
affected < 0.6.3-r7fixed 0.6.3-r7
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
CVE-2022-3171Oct 12, 2022
affected < 0.6.3-r7fixed 0.6.3-r7
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
CVE-2021-22569Jan 7, 2022
affected < 0.6.3-r7fixed 0.6.3-r7
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause fre
CVE-2021-31684Jun 1, 2021
affected < 0.6.3-r7fixed 0.6.3-r7
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
CVE-2020-8908Dec 10, 2020
affected < 0.6.3-r7fixed 0.6.3-r7
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the

Page 2 of 2