apk package

wolfi/opensearch-2-security

pkg:apk/wolfi/opensearch-2-security

Vulnerabilities (46)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42587	Hig	7.5	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585	Med	6.5	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584	Hig	7.3	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583	Hig	7.5	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581	Med	5.8	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580	Med	6.5	< 2.19.4-r14	2.19.4-r14	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-41417	Med	5.3	< 2.19.4-r14	2.19.4-r14	May 6, 2026	Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-33558	Med	5.3	< 2.19.4-r14	2.19.4-r14	Apr 20, 2026	Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit
CVE-2026-5598	Hig	—	< 2.19.4-r14	2.19.4-r14	Apr 15, 2026	Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.
CVE-2026-5588	Med	—	< 2.19.4-r14	2.19.4-r14	Apr 15, 2026	Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modul
CVE-2026-0636	Med	—	< 2.19.4-r14	2.19.4-r14	Apr 15, 2026	Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from
CVE-2026-35554	Hig	8.7	< 2.19.4-r14	2.19.4-r14	Apr 7, 2026	A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
CVE-2026-33870		—	< 2.19.4-r13	2.19.4-r13	Mar 27, 2026	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
CVE-2025-67735		—	< 2.19.4-r6	2.19.4-r6	Dec 16, 2025	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-66566	Hig	—	< 2.19.4-r12	2.19.4-r12	Dec 5, 2025	yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the
CVE-2025-12183	Hig	—	< 2.19.4-r12	2.19.4-r12	Nov 28, 2025	Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
CVE-2025-9624		—	< 2.19.4-r0	2.19.4-r0	Nov 25, 2025	A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4.
CVE-2025-58057		—	< 2.19.4-r0	2.19.4-r0	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056		—	< 2.19.4-r0	2.19.4-r0	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-54988		—	< 2.19.4-r0	2.19.4-r0	Aug 20, 2025	Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma

CVE-2026-42587HigMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42585MedMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584HigMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583HigMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581MedMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580MedMay 13, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-41417MedMay 6, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-33558MedApr 20, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensit
CVE-2026-5598HigApr 15, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.80.1, from 1.82 before 1.
CVE-2026-5588MedApr 15, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules), Legion of the Bouncy Castle Inc. BCPIX-LTS bcpkix on All (pkix modul
CVE-2026-0636MedApr 15, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from
CVE-2026-35554HigApr 7, 2026
affected < 2.19.4-r14fixed 2.19.4-r14
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
CVE-2026-33870Mar 27, 2026
affected < 2.19.4-r13fixed 2.19.4-r13
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
CVE-2025-67735Dec 16, 2025
affected < 2.19.4-r6fixed 2.19.4-r6
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
CVE-2025-66566HigDec 5, 2025
affected < 2.19.4-r12fixed 2.19.4-r12
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the
CVE-2025-12183HigNov 28, 2025
affected < 2.19.4-r12fixed 2.19.4-r12
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
CVE-2025-9624Nov 25, 2025
affected < 2.19.4-r0fixed 2.19.4-r0
A vulnerability in OpenSearch allows attackers to cause Denial of Service (DoS) by submitting complex query_string inputs. This issue affects all OpenSearch versions between 3.0.0 and < 3.3.0 and OpenSearch < 2.19.4.
CVE-2025-58057Sep 3, 2025
affected < 2.19.4-r0fixed 2.19.4-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056Sep 3, 2025
affected < 2.19.4-r0fixed 2.19.4-r0
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-54988Aug 20, 2025
affected < 2.19.4-r0fixed 2.19.4-r0
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma

Page 1 of 3