apk package

wolfi/thingsboard-tb-mqtt-transport

pkg:apk/wolfi/thingsboard-tb-mqtt-transport

Vulnerabilities (88)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-44248	Med	5.3	< 4.3.1.1-r9	4.3.1.1-r9	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is
CVE-2026-42587	Hig	7.5	< 4.3.1.1-r9	4.3.1.1-r9	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42586	Med	6.8	< 4.3.1.1-r9	4.3.1.1-r9	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) cha
CVE-2026-42585	Med	6.5	< 4.3.1.1-r5	4.3.1.1-r5	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584	Hig	7.3	< 4.3.1.1-r5	4.3.1.1-r5	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583	Hig	7.5	< 4.3.1.1-r9	4.3.1.1-r9	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581	Med	5.8	< 4.3.1.1-r5	4.3.1.1-r5	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580	Med	6.5	< 4.3.1.1-r5	4.3.1.1-r5	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42579	Hig	7.5	< 4.3.1.1-r8	4.3.1.1-r8	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon
CVE-2026-42578	Hig	7.5	< 4.3.1.1-r9	4.3.1.1-r9	May 13, 2026	Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-42577	Hig	7.5	< 4.3.1.1-r10	4.3.1.1-r10	May 13, 2026	Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
CVE-2026-41417	Med	5.3	< 4.3.1.1-r5	4.3.1.1-r5	May 6, 2026	Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-22745	Med	5.3	< 4.3.1.1-r11	4.3.1.1-r11	Apr 29, 2026	Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is
CVE-2026-22741	Low	3.1	< 4.3.1.1-r11	4.3.1.1-r11	Apr 29, 2026	Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuri
CVE-2026-40973	Hig	7.0	< 4.3.1.1-r11	4.3.1.1-r11	Apr 28, 2026	A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session
CVE-2026-34500	Med	6.5	< 4.3.1.1-r11	4.3.1.1-r11	Apr 9, 2026	CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommend
CVE-2026-34487	Hig	7.5	< 4.3.1.1-r11	4.3.1.1-r11	Apr 9, 2026	Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 thr
CVE-2026-34483	Hig	7.5	< 4.3.1.1-r11	4.3.1.1-r11	Apr 9, 2026	Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version
CVE-2026-32990	Med	5.3	< 4.3.1.1-r11	4.3.1.1-r11	Apr 9, 2026	Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-29146	Hig	7.5	< 4.3.1.1-r2	4.3.1.1-r2	Apr 9, 2026	Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

CVE-2026-44248MedMay 13, 2026
affected < 4.3.1.1-r9fixed 4.3.1.1-r9
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is
CVE-2026-42587HigMay 13, 2026
affected < 4.3.1.1-r9fixed 4.3.1.1-r9
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for
CVE-2026-42586MedMay 13, 2026
affected < 4.3.1.1-r9fixed 4.3.1.1-r9
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) cha
CVE-2026-42585MedMay 13, 2026
affected < 4.3.1.1-r5fixed 4.3.1.1-r5
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42584HigMay 13, 2026
affected < 4.3.1.1-r5fixed 4.3.1.1-r5
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the
CVE-2026-42583HigMay 13, 2026
affected < 4.3.1.1-r9fixed 4.3.1.1-r9
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload
CVE-2026-42581MedMay 13, 2026
affected < 4.3.1.1-r5fixed 4.3.1.1-r5
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. T
CVE-2026-42580MedMay 13, 2026
affected < 4.3.1.1-r5fixed 4.3.1.1-r5
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.
CVE-2026-42579HigMay 13, 2026
affected < 4.3.1.1-r8fixed 4.3.1.1-r8
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS respon
CVE-2026-42578HigMay 13, 2026
affected < 4.3.1.1-r9fixed 4.3.1.1-r9
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHea
CVE-2026-42577HigMay 13, 2026
affected < 4.3.1.1-r10fixed 4.3.1.1-r10
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
CVE-2026-41417MedMay 6, 2026
affected < 4.3.1.1-r5fixed 4.3.1.1-r5
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`. The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does no
CVE-2026-22745MedApr 29, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is
CVE-2026-22741LowApr 29, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuri
CVE-2026-40973HigApr 28, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session
CVE-2026-34500MedApr 9, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommend
CVE-2026-34487HigApr 9, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 thr
CVE-2026-34483HigApr 9, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version
CVE-2026-32990MedApr 9, 2026
affected < 4.3.1.1-r11fixed 4.3.1.1-r11
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-29146HigApr 9, 2026
affected < 4.3.1.1-r2fixed 4.3.1.1-r2
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Page 1 of 5