VYPR

rpm package

almalinux/slf4j

pkg:rpm/almalinux/slf4j

Vulnerabilities (16)

  • CVE-2025-52999HigJun 25, 2025
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the de

  • CVE-2025-48734May 28, 2025
    affected < 1.7.25-4.module_el8.0.0+6004+2fc32706fixed 1.7.25-4.module_el8.0.0+6004+2fc32706

    Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no

  • CVE-2022-29599May 23, 2022
    affected < 1.7.28-3.module_el8.6.0+2786+d7c38b21fixed 1.7.28-3.module_el8.6.0+2786+d7c38b21

    In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

  • CVE-2020-36518Mar 11, 2022
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

  • CVE-2020-13956Dec 2, 2020
    affected < 1.7.28-3.module_el8.6.0+2786+d7c38b21fixed 1.7.28-3.module_el8.6.0+2786+d7c38b21

    Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

  • CVE-2019-17531Oct 12, 2019
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the

  • CVE-2019-16943Oct 1, 2019
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an att

  • CVE-2019-16942Oct 1, 2019
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and a

  • CVE-2019-16335Sep 15, 2019
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

  • CVE-2019-14540Sep 15, 2019
    affected < 1.7.25-4.module_el8.5.0+2577+9e95fe00fixed 1.7.25-4.module_el8.5.0+2577+9e95fe00

    A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

  • CVE-2019-10086Aug 20, 2019
    affected < 1.7.25-4.module_el8.0.0+6004+2fc32706fixed 1.7.25-4.module_el8.0.0+6004+2fc32706

    In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the Prop

  • CVE-2019-12384Jun 24, 2019
    affected < 1.7.25-4.module_el8.6.0+2752+f1f3449efixed 1.7.25-4.module_el8.6.0+2752+f1f3449e

    FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

  • CVE-2018-11784MedOct 4, 2018
    affected < 1.7.25-4.module_el8.6.0+2752+f1f3449efixed 1.7.25-4.module_el8.6.0+2752+f1f3449e

    When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated

  • CVE-2018-8037MedAug 2, 2018
    affected < 1.7.25-4.module_el8.6.0+2752+f1f3449efixed 1.7.25-4.module_el8.6.0+2752+f1f3449e

    If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors

  • CVE-2018-8034HigAug 1, 2018
    affected < 1.7.25-4.module_el8.6.0+2752+f1f3449efixed 1.7.25-4.module_el8.6.0+2752+f1f3449e

    The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

  • CVE-2018-8014CriMay 16, 2018
    affected < 1.7.25-4.module_el8.6.0+2752+f1f3449efixed 1.7.25-4.module_el8.6.0+2752+f1f3449e

    The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it approp