apk package
wolfi/druid-compat
pkg:apk/wolfi/druid-compat
Vulnerabilities (55)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-36114 | Hig | 8.6 | < 32.0.1-r1 | 32.0.1-r1 | May 29, 2024 | Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor | |
| CVE-2023-50298 | — | < 32.0.1-r1 | 32.0.1-r1 | Feb 9, 2024 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. | ||
| CVE-2022-46337 | — | < 32.0.1-r1 | 32.0.1-r1 | Nov 20, 2023 | A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut | ||
| CVE-2023-3635 | — | < 0 | 0 | Jul 12, 2023 | GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class. | ||
| CVE-2023-2976 | — | < 0 | 0 | Jun 14, 2023 | Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to | ||
| CVE-2023-1436 | — | < 34.0.0-r6 | 34.0.0-r6 | Mar 16, 2023 | An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown. | ||
| CVE-2023-26464 | — | < 34.0.0-r6 | 34.0.0-r6 | Mar 10, 2023 | ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging compone | ||
| CVE-2022-45693 | — | < 34.0.0-r6 | 34.0.0-r6 | Dec 13, 2022 | Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string. | ||
| CVE-2022-45685 | — | < 34.0.0-r6 | 34.0.0-r6 | Dec 13, 2022 | A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data. | ||
| CVE-2022-1471 | — | < 0 | 0 | Dec 1, 2022 | SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric | ||
| CVE-2022-3510 | — | < 34.0.0-r6 | 34.0.0-r6 | Nov 11, 2022 | A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat | ||
| CVE-2022-3509 | — | < 0 | 0 | Nov 1, 2022 | A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown | ||
| CVE-2022-3171 | — | < 34.0.0-r6 | 34.0.0-r6 | Oct 12, 2022 | A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be | ||
| CVE-2022-41404 | — | < 34.0.0-r6 | 34.0.0-r6 | Oct 11, 2022 | An issue in the fetch() method in the BasicProfile class of org.ini4j through version v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. | ||
| CVE-2022-42004 | — | < 0 | 0 | Oct 2, 2022 | In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. | ||
| CVE-2022-42003 | — | < 0 | 0 | Oct 2, 2022 | In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. | ||
| CVE-2022-40152 | — | < 0 | 0 | Sep 16, 2022 | Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denia | ||
| CVE-2022-40150 | — | < 34.0.0-r6 | 34.0.0-r6 | Sep 16, 2022 | Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of ser | ||
| CVE-2022-40149 | — | < 34.0.0-r6 | 34.0.0-r6 | Sep 16, 2022 | Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of ser | ||
| CVE-2021-44521 | — | < 34.0.0-r6 | 34.0.0-r6 | Feb 11, 2022 | When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n |
- affected < 32.0.1-r1fixed 32.0.1-r1
Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memor
- CVE-2023-50298Feb 9, 2024affected < 32.0.1-r1fixed 32.0.1-r1
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
- CVE-2022-46337Nov 20, 2023affected < 32.0.1-r1fixed 32.0.1-r1
A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut
- CVE-2023-3635Jul 12, 2023affected < 0fixed 0
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
- CVE-2023-2976Jun 14, 2023affected < 0fixed 0
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to
- CVE-2023-1436Mar 16, 2023affected < 34.0.0-r6fixed 34.0.0-r6
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
- CVE-2023-26464Mar 10, 2023affected < 34.0.0-r6fixed 34.0.0-r6
** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging compone
- CVE-2022-45693Dec 13, 2022affected < 34.0.0-r6fixed 34.0.0-r6
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
- CVE-2022-45685Dec 13, 2022affected < 34.0.0-r6fixed 34.0.0-r6
A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
- CVE-2022-1471Dec 1, 2022affected < 0fixed 0
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric
- CVE-2022-3510Nov 11, 2022affected < 34.0.0-r6fixed 34.0.0-r6
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeat
- CVE-2022-3509Nov 1, 2022affected < 0fixed 0
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown
- CVE-2022-3171Oct 12, 2022affected < 34.0.0-r6fixed 34.0.0-r6
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be
- CVE-2022-41404Oct 11, 2022affected < 34.0.0-r6fixed 34.0.0-r6
An issue in the fetch() method in the BasicProfile class of org.ini4j through version v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
- CVE-2022-42004Oct 2, 2022affected < 0fixed 0
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
- CVE-2022-42003Oct 2, 2022affected < 0fixed 0
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- CVE-2022-40152Sep 16, 2022affected < 0fixed 0
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denia
- CVE-2022-40150Sep 16, 2022affected < 34.0.0-r6fixed 34.0.0-r6
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of ser
- CVE-2022-40149Sep 16, 2022affected < 34.0.0-r6fixed 34.0.0-r6
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of ser
- CVE-2021-44521Feb 11, 2022affected < 34.0.0-r6fixed 34.0.0-r6
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would n
Page 2 of 3