VYPR

apk package

wolfi/sonarqube-scripts

pkg:apk/wolfi/sonarqube-scripts

Vulnerabilities (16)

  • CVE-2025-68390Dec 18, 2025
    affected < 25.12.0.117093-r0fixed 25.12.0.117093-r0

    Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

  • CVE-2025-37731Dec 15, 2025
    affected < 25.12.0.117093-r1fixed 25.12.0.117093-r1

    Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

  • CVE-2025-59250Oct 14, 2025
    affected < 0fixed 0

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-11226MedOct 1, 2025
    affected < 0fixed 0

    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia

  • CVE-2025-48734May 28, 2025
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no

  • CVE-2025-25193Feb 10, 2025
    affected < 0fixed 0

    Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts

  • CVE-2024-57699HigFeb 5, 2025
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a

  • CVE-2024-12801LowDec 19, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE

  • CVE-2024-12798MedDec 19, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en

  • CVE-2024-47535Nov 12, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application

  • CVE-2024-47554Oct 3, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are

  • CVE-2024-37280Jun 13, 2024
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lea

  • CVE-2024-23445Jun 12, 2024
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body  restricts search for a given index using the query or the field_s

  • CVE-2024-30172HigMay 14, 2024
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

  • CVE-2023-44483Oct 20, 2023
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are

  • CVE-2022-40152Sep 16, 2022
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denia