apk package
wolfi/wildfly-openjdk-21
pkg:apk/wolfi/wildfly-openjdk-21
Vulnerabilities (42)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1002 | — | < 38.0.1-r2 | 38.0.1-r2 | Jan 15, 2026 | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co | ||
| CVE-2025-12543 | — | < 39.0.0-r0 | 39.0.0-r0 | Jan 7, 2026 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are | ||
| CVE-2025-67735 | — | < 38.0.1-r1 | 38.0.1-r1 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2024-3884 | Hig | 7.5 | < 39.0.0-r0 | 39.0.0-r0 | Dec 3, 2025 | A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issu | |
| CVE-2025-58057 | — | < 37.0.1-r0 | 37.0.1-r0 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-58056 | — | < 37.0.1-r1 | 37.0.1-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch | ||
| CVE-2025-9784 | — | < 38.0.0-r0 | 38.0.0-r0 | Sep 2, 2025 | A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-si | ||
| CVE-2025-55163 | — | < 37.0.0-r1 | 37.0.0-r1 | Aug 13, 2025 | Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the | ||
| CVE-2025-48913 | — | < 36.0.1-r8 | 36.0.1-r8 | Aug 8, 2025 | If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrad | ||
| CVE-2025-7962 | — | < 36.0.1-r8 | 36.0.1-r8 | Jul 21, 2025 | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | ||
| CVE-2025-48795 | — | < 36.0.1-r7 | 36.0.1-r7 | Jul 15, 2025 | Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing | ||
| CVE-2025-48924 | — | < 36.0.1-r6 | 36.0.1-r6 | Jul 11, 2025 | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr | ||
| CVE-2025-53864 | Med | 5.8 | < 36.0.1-r6 | 36.0.1-r6 | Jul 11, 2025 | Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca | |
| CVE-2025-27817 | — | < 36.0.1-r5 | 36.0.1-r5 | Jun 10, 2025 | A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk | ||
| CVE-2025-48734 | — | < 36.0.1-r4 | 36.0.1-r4 | May 28, 2025 | Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no | ||
| CVE-2025-4949 | — | < 36.0.1-r1 | 36.0.1-r1 | May 21, 2025 | In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte | ||
| CVE-2025-27427 | — | < 35.0.1-r17 | 35.0.1-r17 | Apr 1, 2025 | A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular ad | ||
| CVE-2025-2240 | Hig | 7.5 | < 35.0.1-r14 | 35.0.1-r14 | Mar 12, 2025 | A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. | |
| CVE-2025-25193 | — | < 35.0.1-r12 | 35.0.1-r12 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts | ||
| CVE-2025-24970 | — | < 35.0.1-r12 | 35.0.1-r12 | Feb 10, 2025 | Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas |
- CVE-2026-1002Jan 15, 2026affected < 38.0.1-r2fixed 38.0.1-r2
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co
- CVE-2025-12543Jan 7, 2026affected < 39.0.0-r0fixed 39.0.0-r0
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are
- CVE-2025-67735Dec 16, 2025affected < 38.0.1-r1fixed 38.0.1-r1
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- affected < 39.0.0-r0fixed 39.0.0-r0
A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issu
- CVE-2025-58057Sep 3, 2025affected < 37.0.1-r0fixed 37.0.1-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-58056Sep 3, 2025affected < 37.0.1-r1fixed 37.0.1-r1
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
- CVE-2025-9784Sep 2, 2025affected < 38.0.0-r0fixed 38.0.0-r0
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-si
- CVE-2025-55163Aug 13, 2025affected < 37.0.0-r1fixed 37.0.0-r1
Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the
- CVE-2025-48913Aug 8, 2025affected < 36.0.1-r8fixed 36.0.1-r8
If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrad
- CVE-2025-7962Jul 21, 2025affected < 36.0.1-r8fixed 36.0.1-r8
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
- CVE-2025-48795Jul 15, 2025affected < 36.0.1-r7fixed 36.0.1-r7
Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing
- CVE-2025-48924Jul 11, 2025affected < 36.0.1-r6fixed 36.0.1-r6
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
- affected < 36.0.1-r6fixed 36.0.1-r6
Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue beca
- CVE-2025-27817Jun 10, 2025affected < 36.0.1-r5fixed 36.0.1-r5
A possible arbitrary file read and SSRF vulnerability has been identified in Apache Kafka Client. Apache Kafka Clients accept configuration data for setting the SASL/OAUTHBEARER connection with the brokers, including "sasl.oauthbearer.token.endpoint.url" and "sasl.oauthbearer.jwk
- CVE-2025-48734May 28, 2025affected < 36.0.1-r4fixed 36.0.1-r4
Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no
- CVE-2025-4949May 21, 2025affected < 36.0.1-r1fixed 36.0.1-r1
In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML Exte
- CVE-2025-27427Apr 1, 2025affected < 35.0.1-r17fixed 35.0.1-r17
A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular ad
- affected < 35.0.1-r14fixed 35.0.1-r14
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
- CVE-2025-25193Feb 10, 2025affected < 35.0.1-r12fixed 35.0.1-r12
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
- CVE-2025-24970Feb 10, 2025affected < 35.0.1-r12fixed 35.0.1-r12
Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cas
Page 2 of 3