VYPR

apk package

wolfi/thingsboard-tb-js-executor

pkg:apk/wolfi/thingsboard-tb-js-executor

Vulnerabilities (60)

  • CVE-2024-53990CriDec 2, 2024
    affected < 3.9-r1fixed 3.9-r1

    The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When making any HTTP request, the automatically enabled and self-managed CookieStore (aka cookie jar) will silently replace explicitly defined Coo

  • CVE-2024-38827MedDec 2, 2024
    affected < 3.8.1-r4fixed 3.8.1-r4

    The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

  • CVE-2024-31141Nov 19, 2024
    affected < 3.8.1-r4fixed 3.8.1-r4

    Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apa

  • CVE-2024-47535Nov 12, 2024
    affected < 3.8.1-r3fixed 3.8.1-r3

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application

  • CVE-2024-51504Nov 7, 2024
    affected < 4.0.1-r51fixed 4.0.1-r51

    When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthentication

  • CVE-2024-38821CriOct 28, 2024
    affected < 3.8.1-r2fixed 3.8.1-r2

    Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's

  • CVE-2024-38820Oct 18, 2024
    affected < 3.8.1-r1fixed 3.8.1-r1

    The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

  • CVE-2024-47764MedOct 4, 2024
    affected < 3.9.1-r2fixed 3.9.1-r2

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-38809MedSep 27, 2024
    affected < 3.9.1-r2fixed 3.9.1-r2

    Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-Non

  • CVE-2024-7254Sep 19, 2024
    affected < 3.9.1-r2fixed 3.9.1-r2

    Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf

  • CVE-2024-38816HigSep 13, 2024
    affected < 3.8.1-r2fixed 3.8.1-r2

    Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S

  • CVE-2024-43799Sep 10, 2024
    affected < 3.7-r4fixed 3.7-r4

    Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.

  • CVE-2024-45296HigSep 9, 2024
    affected < 3.7-r2fixed 3.7-r2

    path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will

  • CVE-2024-34750Jul 3, 2024
    affected < 3.7-r2fixed 3.7-r2

    Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn

  • CVE-2023-52428Feb 11, 2024
    affected < 3.7-r2fixed 3.7-r2

    In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

  • CVE-2023-3635Jul 12, 2023
    affected < 3.7-r2fixed 3.7-r2

    GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

  • CVE-2023-1370Mar 13, 2023
    affected < 3.7-r4fixed 3.7-r4

    [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o

  • CVE-2022-24329Feb 25, 2022
    affected < 3.7-r1fixed 3.7-r1

    In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

  • CVE-2021-31684Jun 1, 2021
    affected < 3.7-r4fixed 3.7-r4

    A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.

  • CVE-2020-29582Feb 3, 2021
    affected < 3.7-r1fixed 3.7-r1

    In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Page 3 of 3