VYPR

apk package

wolfi/druid-compat

pkg:apk/wolfi/druid-compat

Vulnerabilities (55)

  • CVE-2022-23307HigJan 18, 2022
    affected < 34.0.0-r6fixed 34.0.0-r6

    CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

  • CVE-2022-23305CriJan 18, 2022
    affected < 34.0.0-r6fixed 34.0.0-r6

    By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering

  • CVE-2022-23302HigJan 18, 2022
    affected < 34.0.0-r6fixed 34.0.0-r6

    JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBi

  • CVE-2021-4104HigDec 14, 2021
    affected < 34.0.0-r6fixed 34.0.0-r6

    JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests t

  • CVE-2021-43797Dec 9, 2021
    affected < 0fixed 0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It shoul

  • CVE-2021-37137Oct 19, 2021
    affected < 34.0.0-r6fixed 34.0.0-r6

    The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be tr

  • CVE-2021-37136Oct 19, 2021
    affected < 34.0.0-r6fixed 34.0.0-r6

    The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

  • CVE-2021-29425Apr 13, 2021
    affected < 34.0.0-r6fixed 34.0.0-r6

    In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limit

  • CVE-2021-21409Mar 30, 2021
    affected < 0fixed 0

    Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smug

  • CVE-2021-21295Mar 9, 2021
    affected < 0fixed 0

    Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smug

  • CVE-2021-21290Feb 8, 2021
    affected < 0fixed 0

    Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file.

  • CVE-2019-20444Jan 29, 2020
    affected < 34.0.0-r6fixed 34.0.0-r6

    HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

  • CVE-2019-20445Jan 29, 2020
    affected < 0fixed 0

    HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

  • CVE-2019-17571CriDec 20, 2019
    affected < 34.0.0-r6fixed 34.0.0-r6

    Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j

  • CVE-2018-1320Jan 7, 2019
    affected < 32.0.1-r1fixed 32.0.1-r1

    Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production

Page 3 of 3