apk package

wolfi/infinispan-15.2-compat

pkg:apk/wolfi/infinispan-15.2-compat

Vulnerabilities (9)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-68161	—	< 15.2.6-r3	15.2.6-r3	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735	—	< 15.2.6-r2	15.2.6-r2	Dec 16, 2025	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-58057	—	< 15.2.6-r0	15.2.6-r0	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056	—	< 15.2.6-r1	15.2.6-r1	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-55163	—	< 15.2.5-r1	15.2.5-r1	Aug 13, 2025	Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
CVE-2023-5384	—	< 15.2.6-r1	15.2.6-r1	Dec 18, 2023	A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
CVE-2023-5236	—	< 15.2.6-r1	15.2.6-r1	Dec 18, 2023	A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of
CVE-2023-3629	—	< 15.2.6-r1	15.2.6-r1	Dec 18, 2023	A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
CVE-2023-3628	—	< 15.2.6-r1	15.2.6-r1	Dec 18, 2023	A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

CVE-2025-68161Dec 18, 2025
affected < 15.2.6-r3fixed 15.2.6-r3
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2025-67735Dec 16, 2025
affected < 15.2.6-r2fixed 15.2.6-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-58057Sep 3, 2025
affected < 15.2.6-r0fixed 15.2.6-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056Sep 3, 2025
affected < 15.2.6-r1fixed 15.2.6-r1
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-55163Aug 13, 2025
affected < 15.2.5-r1fixed 15.2.5-r1
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
CVE-2023-5384Dec 18, 2023
affected < 15.2.6-r1fixed 15.2.6-r1
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
CVE-2023-5236Dec 18, 2023
affected < 15.2.6-r1fixed 15.2.6-r1
A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of
CVE-2023-3629Dec 18, 2023
affected < 15.2.6-r1fixed 15.2.6-r1
A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
CVE-2023-3628Dec 18, 2023
affected < 15.2.6-r1fixed 15.2.6-r1
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.