VYPR

apk package

wolfi/gradle-8

pkg:apk/wolfi/gradle-8

Vulnerabilities (25)

  • CVE-2026-54514medJun 23, 2026
    affected < 8.14.5-r1fixed 8.14.5-r1

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected < 8.14.5-r1fixed 8.14.5-r1

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected < 8.14.5-r1fixed 8.14.5-r1

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-5598HigApr 15, 2026
    affected < 8.14.4-r4fixed 8.14.4-r4

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.

  • CVE-2026-3505HigApr 15, 2026
    affected < 8.14.4-r4fixed 8.14.4-r4

    Allocation of resources without limits or throttling, Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This vulnerability is associated with program files AEADEncDataPacket.Java, BcAEADUtil.Java, JceAEADUtil.J

  • CVE-2026-0636MedApr 15, 2026
    affected < 8.14.4-r4fixed 8.14.4-r4

    Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from

  • CVE-2025-67030HigMar 25, 2026
    affected < 8.14.4-r3fixed 8.14.4-r3

    Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code

  • CVE-2026-22865Jan 16, 2026
    affected < 8.14.4-r0fixed 8.14.4-r0

    Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o

  • CVE-2026-22816Jan 16, 2026
    affected < 8.14.4-r0fixed 8.14.4-r0

    Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered o

  • CVE-2025-4949MedMay 21, 2025
    affected < 8.14.1-r1fixed 8.14.1-r1

    In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte

  • CVE-2024-30172HigMay 14, 2024
    affected < 8.7.0-r4fixed 8.7.0-r4

    An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

  • CVE-2024-30171MedMay 14, 2024
    affected < 8.7.0-r4fixed 8.7.0-r4

    An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

  • CVE-2024-29857HigMay 14, 2024
    affected < 8.7.0-r4fixed 8.7.0-r4

    An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during

  • CVE-2024-34447HigMay 3, 2024
    affected < 8.7.0-r4fixed 8.7.0-r4

    An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici

  • CVE-2024-26308MedFeb 19, 2024
    affected < 8.7.0-r1fixed 8.7.0-r1

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

  • CVE-2024-25710HigFeb 19, 2024
    affected < 8.7.0-r1fixed 8.7.0-r1

    Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

  • CVE-2023-33202MedNov 23, 2023
    affected < 8.7.0-r1fixed 8.7.0-r1

    Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a f

  • CVE-2023-4759HigSep 12, 2023
    affected < 0fixed 0

    Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, all versions <= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a

  • CVE-2022-46751HigAug 21, 2023
    affected < 8.4.0-r0fixed 8.4.0-r0

    Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2. When Apache Ivy prior to 2.5.2 parses XML files - either its own c

  • CVE-2023-33201MedJul 5, 2023
    affected < 8.7.0-r1fixed 8.7.0-r1

    Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif

Page 1 of 2