VYPR

apk package

wolfi/thingsboard-tb-node

pkg:apk/wolfi/thingsboard-tb-node

Vulnerabilities (133)

  • CVE-2026-54517medJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary In `BeanDeserializer._deserializeUsingPropertyBased`, the active-view (`@JsonView`) filter was applied only to creator properties; the regular property-buffering branch performed no `prop.visibleInView(activeView)` check. A change making `SetterlessProperty.isMerging()

  • CVE-2026-54516medJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary `POJOPropertiesCollector._renameProperties()` allows a property with `@JsonProperty("renamed")` on the getter and `@JsonIgnore` on the setter to be renamed rather than dropped. With `MapperFeature.INFER_PROPERTY_MUTATORS` enabled (default), the private backing field is

  • CVE-2026-54515medJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary In `BeanDeserializerBase.createContextual()`, per-property `@JsonIgnoreProperties` exclusions are applied by `_handleByNameInclusion()`, producing a `contextual` deserializer whose `BeanPropertyMap` has the ignored properties removed. The subsequent per-property case-i

  • CVE-2026-54514medJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary `JDKFromStringDeserializer` constructed `InetSocketAddress` with `new InetSocketAddress(host, port)`, which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an `InetSocketAdd

  • CVE-2026-54513higJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an expli

  • CVE-2026-54512higJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`), `DatabindContext._resolveAndVal

  • CVE-2026-54518medJun 23, 2026
    affected < 4.3.1.2-r12fixed 4.3.1.2-r12

    ## Summary `UnwrappedPropertyHandler.processUnwrappedCreatorProperties()` replays buffered JSON into creator parameters but never consults `prop.visibleInView(activeView)`. The normal property-based creator path gates creator properties on the active view, but this unwrapped-crea

  • CVE-2026-50560MedJun 12, 2026
    affected < 4.3.1.2-r14fixed 4.3.1.2-r14

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty HTTP/2 max header size handling produces an attack similar to HTTP/2 Rapid Reset. There is a setting in the http2 specification called

  • CVE-2026-50020MedJun 12, 2026
    affected < 4.3.1.2-r14fixed 4.3.1.2-r14

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, before reading the first request-line, `HttpObjectDecoder` skips every byte for which `Character.isISOControl(b)` is `true` (0x00–0x1F and 0

  • CVE-2026-50011HigJun 12, 2026
    affected < 4.3.1.2-r13fixed 4.3.1.2-r13

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That c

  • CVE-2026-50010HigJun 12, 2026
    affected < 4.3.1.2-r14fixed 4.3.1.2-r14

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers() and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrappe

  • CVE-2026-48059HigJun 12, 2026
    affected < 4.3.1.2-r7fixed 4.3.1.2-r7

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the HAProxy PROXY protocol v2 codec in netty leaks native or heap memory on every connection when a client sends a syntactically valid heade

  • CVE-2026-48043MedJun 12, 2026
    affected < 4.3.1.2-r8fixed 4.3.1.2-r8

    Netty is a network application framework for development of protocol servers and clients. In netty-codec-http2 prior to versions 4.1.135.Final and 4.2.15.Final, the `DelegatingDecompressorFrameListener` class orchestrates HTTP/2 decompression by embedding a per-stream `EmbeddedCh

  • CVE-2026-48006HigJun 12, 2026
    affected < 4.3.1.2-r13fixed 4.3.1.2-r13

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, the RedisArrayAggregator handler permanently leaks pooled direct-memory buffers when a Redis pipeline connection closes before a RESP array

  • CVE-2026-47691HigJun 12, 2026
    affected < 4.3.1.2-r5fixed 4.3.1.2-r5

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's `DnsResolveContext` insufficiently validates the bailiwick of NS records, enabling DNS Cache Poisoning. An attacker controlling an a

  • CVE-2026-47244MedJun 12, 2026
    affected < 4.3.1.2-r8fixed 4.3.1.2-r8

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, DefaultHttp2Connection.DefaultEndpoint initialises maxActiveStreams/maxStreams to Integer.MAX_VALUE, and Http2Settings never inserts SETTING

  • CVE-2026-46340HigJun 12, 2026
    affected < 4.3.1.2-r6fixed 4.3.1.2-r6

    Netty is a network application framework for development of protocol servers and clients. In versions of netty-transport-sctp prior to 4.1.135.Final and 4.2.15.Final, for each non-complete SctpMessage fragment the handler does `fragments.put(streamId, Unpooled.wrappedBuffer(frag,

  • CVE-2026-45674HigJun 12, 2026
    affected < 4.3.1.2-r5fixed 4.3.1.2-r5

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DnsResolveContext fails to validate the origin (bailiwick) of CNAME records in DNS responses. Versions 4.1.135.Final and 4.2.15.Fina

  • CVE-2026-45673MedJun 12, 2026
    affected < 4.3.1.2-r5fixed 4.3.1.2-r5

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Netty's DNS resolver uses a predictable PRNG for generating DNS transaction IDs and defaults to a static UDP source port. This combination r

  • CVE-2026-45536MedJun 12, 2026
    affected < 4.3.1.2-r8fixed 4.3.1.2-r8

    Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, netty_unix_socket_recvFd sets msg_control to `char control[CMSG_SPACE(sizeof(int))]` (line 940) — 24 bytes on 64-bit Linux. A peer-sent SCM_

Page 1 of 7