VYPR

apk package

wolfi/druid

pkg:apk/wolfi/druid

Vulnerabilities (111)

  • CVE-2022-46337CriNov 20, 2023
    affected < 32.0.1-r1fixed 32.0.1-r1

    A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execut

  • CVE-2023-39410HigSep 29, 2023
    affected < 37.0.0-r14fixed 37.0.0-r14

    When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should up

  • CVE-2023-43642HigSep 25, 2023
    affected < 37.0.0-r0fixed 37.0.0-r0

    snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk len

  • CVE-2023-40167MedSep 15, 2023
    affected < 37.0.0-r14fixed 37.0.0-r14

    Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely

  • CVE-2023-3635MedJul 12, 2023
    affected < 0fixed 0

    GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

  • CVE-2023-33201MedJul 5, 2023
    affected < 37.0.0-r8fixed 37.0.0-r8

    Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif

  • CVE-2023-34455HigJun 15, 2023
    affected < 37.0.0-r0fixed 37.0.0-r0

    snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1. The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks

  • CVE-2023-34454MedJun 15, 2023
    affected < 37.0.0-r0fixed 37.0.0-r0

    snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error. The function `compress(char[] input)` in the file `Snappy.java` receives an array of chara

  • CVE-2023-34453MedJun 15, 2023
    affected < 37.0.0-r0fixed 37.0.0-r0

    snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)` in the file `BitShuffle.java` receives an array of integers and appli

  • CVE-2023-2976MedJun 14, 2023
    affected < 0fixed 0

    Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to

  • CVE-2023-1436MedMar 22, 2023
    affected < 35.0.1-r5fixed 35.0.1-r5

    An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.

  • CVE-2023-1370HigMar 22, 2023
    affected < 37.0.0-r14fixed 37.0.0-r14

    [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o

  • CVE-2022-45693HigDec 13, 2022
    affected < 35.0.1-r5fixed 35.0.1-r5

    Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

  • CVE-2022-45685HigDec 13, 2022
    affected < 35.0.1-r5fixed 35.0.1-r5

    A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.

  • CVE-2022-3509HigDec 12, 2022
    affected < 0fixed 0

    A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown

  • CVE-2021-37533MedDec 3, 2022
    affected < 37.0.0-r14fixed 37.0.0-r14

    Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of inf

  • CVE-2022-1471HigDec 1, 2022
    affected < 0fixed 0

    SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric

  • CVE-2022-42004HigOct 2, 2022
    affected < 0fixed 0

    In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

  • CVE-2022-42003HigOct 2, 2022
    affected < 0fixed 0

    In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

  • CVE-2022-40152MedSep 16, 2022
    affected < 0fixed 0

    Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denia

Page 5 of 6