apk package
wolfi/thingsboard-tb-node
pkg:apk/wolfi/thingsboard-tb-node
Vulnerabilities (133)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-47764 | Med | — | < 3.9.1-r2 | 3.9.1-r2 | Oct 4, 2024 | cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo | |
| CVE-2024-38809 | Med | 5.3 | < 3.9.1-r2 | 3.9.1-r2 | Sep 27, 2024 | Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-Non | |
| CVE-2024-7254 | — | < 3.9.1-r2 | 3.9.1-r2 | Sep 19, 2024 | Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf | ||
| CVE-2024-38816 | Hig | 7.5 | < 3.8.1-r2 | 3.8.1-r2 | Sep 13, 2024 | Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S | |
| CVE-2024-43799 | — | < 3.7-r4 | 3.7-r4 | Sep 10, 2024 | Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0. | ||
| CVE-2024-45296 | Hig | 7.5 | < 3.7-r2 | 3.7-r2 | Sep 9, 2024 | path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will | |
| CVE-2024-34750 | — | < 3.7-r2 | 3.7-r2 | Jul 3, 2024 | Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn | ||
| CVE-2023-52428 | — | < 3.7-r2 | 3.7-r2 | Feb 11, 2024 | In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. | ||
| CVE-2023-3635 | Med | 5.9 | < 3.7-r2 | 3.7-r2 | Jul 12, 2023 | GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class. | |
| CVE-2023-1370 | Hig | 7.5 | < 3.7-r4 | 3.7-r4 | Mar 22, 2023 | [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o | |
| CVE-2022-24329 | Med | 5.3 | < 3.7-r1 | 3.7-r1 | Feb 25, 2022 | In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. | |
| CVE-2021-31684 | Hig | 7.5 | < 3.7-r4 | 3.7-r4 | Jun 1, 2021 | A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request. | |
| CVE-2020-29582 | Med | 5.3 | < 3.7-r1 | 3.7-r1 | Feb 3, 2021 | In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions. |
- affected < 3.9.1-r2fixed 3.9.1-r2
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo
- affected < 3.9.1-r2fixed 3.9.1-r2
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-Non
- CVE-2024-7254Sep 19, 2024affected < 3.9.1-r2fixed 3.9.1-r2
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
- affected < 3.8.1-r2fixed 3.8.1-r2
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the S
- CVE-2024-43799Sep 10, 2024affected < 3.7-r4fixed 3.7-r4
Send is a library for streaming files from the file system as a http response. Send passes untrusted user input to SendStream.redirect() which executes untrusted code. This issue is patched in send 0.19.0.
- affected < 3.7-r2fixed 3.7-r2
path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will
- CVE-2024-34750Jul 3, 2024affected < 3.7-r2fixed 3.7-r2
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
- CVE-2023-52428Feb 11, 2024affected < 3.7-r2fixed 3.7-r2
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
- affected < 3.7-r2fixed 3.7-r2
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
- affected < 3.7-r4fixed 3.7-r4
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o
- affected < 3.7-r1fixed 3.7-r1
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
- affected < 3.7-r4fixed 3.7-r4
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
- affected < 3.7-r1fixed 3.7-r1
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Page 7 of 7