apk package

wolfi/strimzi-kafka-operator

pkg:apk/wolfi/strimzi-kafka-operator

Vulnerabilities (18)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-68161		—	< 0.49.1-r2	0.49.1-r2	Dec 18, 2025	The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2024-29371		—	< 0.49.1-r1	0.49.1-r1	Dec 17, 2025	In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and proc
CVE-2025-11965		—	< 0.48.0-r1	0.48.0-r1	Oct 22, 2025	In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
CVE-2025-11966		—	< 0.48.0-r1	0.48.0-r1	Oct 22, 2025	In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories
CVE-2025-58457		—	< 0.47.0-r8	0.47.0-r8	Sep 24, 2025	Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
CVE-2025-58057		—	< 0.47.0-r7	0.47.0-r7	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056		—	< 0.47.0-r7	0.47.0-r7	Sep 3, 2025	Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-55163		—	< 0.47.0-r3	0.47.0-r3	Aug 13, 2025	Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
CVE-2025-27817		—	< 0.46.0-r6	0.46.0-r6	Jun 10, 2025	A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
CVE-2025-48734		—	< 0.46.0-r5	0.46.0-r5	May 28, 2025	Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2025-25193		—	< 0	0	Feb 10, 2025	Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2025-24970		—	< 0.47.0-r1	0.47.0-r1	Feb 10, 2025	Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
CVE-2024-57699	Hig	7.5	< 0.48.0-r1	0.48.0-r1	Feb 5, 2025	A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a
CVE-2024-56128		—	< 0.46.1-r0	0.46.1-r0	Dec 18, 2024	Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as
CVE-2024-31141		—	< 0.44.0-r2	0.44.0-r2	Nov 19, 2024	Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa
CVE-2024-47535		—	< 0	0	Nov 12, 2024	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-8184		—	< 0.45.0-r1	0.45.0-r1	Oct 14, 2024	There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
CVE-2024-47554		—	< 0.45.0-r2	0.45.0-r2	Oct 3, 2024	Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are

CVE-2025-68161Dec 18, 2025
affected < 0.49.1-r2fixed 0.49.1-r2
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
CVE-2024-29371Dec 17, 2025
affected < 0.49.1-r1fixed 0.49.1-r1
In jose4j before 0.9.6, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and proc
CVE-2025-11965Oct 22, 2025
affected < 0.48.0-r1fixed 0.48.0-r1
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
CVE-2025-11966Oct 22, 2025
affected < 0.48.0-r1fixed 0.48.0-r1
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories
CVE-2025-58457Sep 24, 2025
affected < 0.47.0-r8fixed 0.47.0-r8
Improper permission check in ZooKeeper AdminServer lets authorized clients to run snapshot and restore command with insufficient permissions. This issue affects Apache ZooKeeper: from 3.9.0 before 3.9.4. Users are recommended to upgrade to version 3.9.4, which fixes the issue.
CVE-2025-58057Sep 3, 2025
affected < 0.47.0-r7fixed 0.47.0-r7
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
CVE-2025-58056Sep 3, 2025
affected < 0.47.0-r7fixed 0.47.0-r7
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
CVE-2025-55163Aug 13, 2025
affected < 0.47.0-r3fixed 0.47.0-r3
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
CVE-2025-27817Jun 10, 2025
affected < 0.46.0-r6fixed 0.46.0-r6
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
CVE-2025-48734May 28, 2025
affected < 0.46.0-r5fixed 0.46.0-r5
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
CVE-2025-25193Feb 10, 2025
affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2025-24970Feb 10, 2025
affected < 0.47.0-r1fixed 0.47.0-r1
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
CVE-2024-57699HigFeb 5, 2025
affected < 0.48.0-r1fixed 0.48.0-r1
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a
CVE-2024-56128Dec 18, 2024
affected < 0.46.1-r0fixed 0.46.1-r0
Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM implementation. Issue Summary: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802 [1]. Specifically, as
CVE-2024-31141Nov 19, 2024
affected < 0.44.0-r2fixed 0.44.0-r2
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa
CVE-2024-47535Nov 12, 2024
affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-8184Oct 14, 2024
affected < 0.45.0-r1fixed 0.45.0-r1
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
CVE-2024-47554Oct 3, 2024
affected < 0.45.0-r2fixed 0.45.0-r2
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are