diff --git a/docker/SYSTEMDS-3878/README.md b/docker/SYSTEMDS-3878/README.md
new file mode 100644
index 00000000000..bccd9a1e926
--- /dev/null
+++ b/docker/SYSTEMDS-3878/README.md
@@ -0,0 +1,727 @@
+<!-- 
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# 
+-->
+
+# Data Integration and Large-Scale Analysis
+## Overview
+
+This README presents the project 3878 and serves as index for the documentation.
+
+The goal of SYSTEMDS-3878 as presented in [jira](https://issues.apache.org/jira/browse/SYSTEMDS-3878) is to "Improve Docker Security":
+>This task is to improve the security of the Docker images we provide. Currently we get an 'F' evaluation on DockerHub, and we would like instead to provide secure images.
+https://hub.docker.com/repository/docker/apache/systemds/general
+
+**Table of contents**
+
+- [Data Integration and Large-Scale Analysis](#data-integration-and-large-scale-analysis)
+  - [Overview](#overview)
+  - [Working on apache/systemds](#working-on-apachesystemds)
+    - [Create a fork](#create-a-fork)
+    - [Commiting](#commiting)
+  - [Docker scout cves](#docker-scout-cves)
+    - [Usage](#usage)
+    - [Command details](#command-details)
+    - [Solve vulnerabilities](#solve-vulnerabilities)
+    - [Inspection commands to find tricky packages](#inspection-commands-to-find-tricky-packages)
+    - [`docker scout` helloworld example](#docker-scout-helloworld-example)
+  - [Student Project SYSTEMDS-3878](#student-project-systemds-3878)
+    - [Results](#results)
+    - [Summary of Changes](#summary-of-changes)
+    - [Testing](#testing)
+  - [Appendix](#appendix)
+    - [`docker scout` helloworld output](#docker-scout-helloworld-output)
+    - [Output of `mvn dependency:tree` before any change](#output-of-mvn-dependencytree-before-any-change)
+
+
+## Working on apache/systemds
+
+### Create a fork
+
+1. Fork systemds github on own account
+2. Invite project member
+1. Create SSH-key locally on computer
+1. Add public key to github account
+1. Clone project on computer (git clone git@\<link>.git)
+1. Get a local version of the systemds project on the computer
+
+### Commiting
+
+Extract from [CONTRIBUTING.md](https://github.com/qschnee/systemds/blob/main/CONTRIBUTING.md).
+
+A commit or PR description is a public record of **what** change is being made and **why**.
+
+#### Structure of the description
+
+##### First Line
+
+1. A summary of what the changeset.
+2. A complete sentence, crafted as though it was an order.
+    - an imperative sentence
+    - Writing the rest of the description as an imperative is optional.
+3. Follow by an empty line.
+
+##### Body
+
+It consists of the following.
+
+1. A brief description of the problem solved.
+2. Why this is the best approach?.
+3. Shortcomings to the approach, if any (important!).
+
+Additional info
+
+4. background information
+   - bug/issue/jira numbers
+   - benchmark/test results
+   - links to design documents
+   - code attributions
+5. Include enough context for
+   - reviewers
+   - future readers to understand the Changes.
+6. Add PR number, like `Closes #1000`.
+
+#### Example for this project:
+
+```text
+[MINOR][SYSTEMDS-3878] Fix <file>.Dockerfile vulnerability (<bug>)
+
+This commit fixes the following vulnerability identified by docker scout cves: <...>. The following changes have been made on the Dockerfile: <...>.
+<Sources/justifications>
+<Shortcomings>
+<new CVE if not fully resolved>
+```
+
+## Docker scout cves
+
+We used the tool docker scout cves to identify and solve vulenrabilities in the systemds image build from the Dockerfile.
+
+From the man page:
+>The docker scout cves command analyzes a software artifact for vulnerabilities. \
+If no image is specified, the most recently built image is used. \
+[...] \
+The tool analyzes the provided software artifact, and generates a vulnerability report.
+
+### Usage
+
+``` sh
+cd path/to/systemds
+./docker/build.sh
+docker scout cves --details --format markdown -o docker/scout_results/sysds_outputX.md --epss apache/systemds
+```
+
+To identify the location of tricky packages, using the json output with `--format sarif` helps by showing the path to the vulnerable package (which is not shown in the "human-readable" markdown output).
+
+### Command details
+
+#### Local analysis
+
+To use docker scout and see if local changes succesfully solved a vulnerability, it is necessary to modify `sysds.Dockerfile`. \
+`systemds` is cloned from github instead of using the local systemds project. This change should be reverted and rever merged to the master branch.
+```Dockerfile
+# Build the system
+# RUN git clone --depth 1 https://github.com/apache/systemds.git systemds && \
+# 	cd /usr/src/systemds/ && \
+# 	mvn --no-transfer-progress clean package -P distribution
+
+# Copy the local SystemDS source into the image
+COPY . /usr/src/systemds
+# Build SystemDS
+RUN cd /usr/src/systemds && \
+   mvn --no-transfer-progress clean package -P distribution
+```
+
+#### Options
+
+<https://docs.docker.com/reference/cli/docker/scout/cves/>
+
+1. build systemds project \
+   `./docker/build.sh`
+   - builds the image with the tag: `apache/systemds:latest`
+   - default runs: `docker image build -f docker/sysds.Dockerfile -t apache/systemds:latest .`
+   - modify `docker/build.sh` to change the selected `Dockerfile` for the build
+2. scout \
+   `docker scout cves --details --format markdown -o <docker_subdirecory>/scout_results/<file>_output0.md --epss apache/systemds` (from systemds directory)
+   - `--details`: verbose
+   - `--format markdown`: output in markdown format
+   - `-o <path_to_file>`: write output to file
+   - `-epss`: show epss score
+      - `--epss --epss-score 0.1`: filter for vulnerabilities that have more than 10% probability to be exploited.
+
+#### Troubleshoot
+Docker scout does not run because `/tmp` is full:
+- `df -h`: to see usage of partitions.
+- `du -h /home/schnee/DIA-sysds-scout-tmp/` to see directory usage.
+- `docker scout cache df` and `docker scout cache prune` to view and clear scout cache.
+
+Change default tmp partition to a bigger filesystem
+- `export TMPDIR=/absolute/path/to/sysds-scout-tmp`
+- `export DOCKER_SCOUT_CACHE_DIR=/absolute/path/to/sysds-scout-tmp`
+
+<details>
+
+   <summary> Directly from filesystem (Dockerfile)</summary>
+
+   > Does Not Work
+
+   No vulnerability found
+
+   ```bash
+   cd project_root_directory
+   docker scout cves --format markdown -o scout_results/output0.md --epss fs://docker_subdirecory/file.Dockerfile
+   ```
+
+</details>
+
+### Solve vulnerabilities
+
+By using the CVE code and reading its description, most vulnerabilities have solutions or workarounds.
+
+#### Upgrading the related package
+
+One way to solve a vulerability is simply to upgrade the package the CVE happens in.
+
+> Sometimes, the package that raised the CVE is not included in the `pom.xml`. This can happen if the package is a dependency of another imported package. \
+> `mvn dependency:tree` (example output can be found [here](#output-of-mvn-dependencytree-before-any-change)) shows all imported packages and implicit dependencies imported by other packets.
+
+#### Remove or switch the packet
+
+If the vulnerability comes from a transitive dependency:
+1. update the parent dependency to a newer version which doesn't use the vulnerable packet. \
+This can be verified in Maven Repository <https://mvnrepository.com/> by searching the parent packet.
+1. exclude the vulnerable package from the parent and explicitly import a newer version of the vulnerable package. \
+By doing this, the parent dependency will use the explicit version instead of the vulnerable one.
+
+### Inspection commands to find tricky packages
+
+As mentioned before, using the `sarif` format in scout could help identify where the vulnerale package comes from.
+
+If this does not help, it is possible to inspect the image directly to find the related jar. Here, `apache/zookeeper` is used as reference:
+- copy container filesystem to analyze jars: 
+
+  ```sh
+  docker create --name temp apache/systemds
+  docker export temp > img.tar
+  mkdir filesystem_img
+  tar -xf img.tar -C filesystem_img
+  #Analysis
+  rm -rf img.tar temp filesystem_img
+  docker rm temp
+  ```
+  - Find all references to zookeeper
+
+    `find filesystem_img -name '*zookeeper*'`
+  - List all libs 
+    
+    `ls -la ./filesystem_img/systemds/target/lib/`
+  - Inspect the jars in the image for references to zookeeper
+
+    `find ./filesystem_img -name '*.jar' -exec sh -c 'jar tf {} | grep -i zookeeper && echo "--- Found in {}"' \;`
+- Inspect the local jars for references to zookeeper 
+
+  `jar tf ~/.m2/repository/org/apache/hadoop/hadoop-common/3.3.6/hadoop-common-3.3.6.jar | grep -i zookeeper`
+
+### `docker scout` helloworld example
+
+To test if docker scout works correctly on your machine, you can create a simple "Hello World" Dockerfile.
+
+```bash
+mkdir scout_hello_world
+cd scout_hello_world
+echo -e "FROM ubuntu:latest\nRUN apt-get update && apt-get install -y curl\nCMD ["curl", "https://example.com"]" > Dockerfile
+docker build -t scout_hello_world_img .
+# optionally check image: docker images | grep hello_world
+docker scout cves scout_hello_world_img
+```
+
+1. create and enter new directory
+2. Create new file `Dockerfile` and write content into it
+1. Build docker image from current directory `.` \
+   With name scout_hello_wolrd (`-t`)
+1. Scout the image with the name
+
+The output can be viewed in the [appendix](#docker-scout-helloworld-output)
+
+
+## Student Project SYSTEMDS-3878
+
+### Results
+
+We managed to solve a lot of CVEs: 
+
+| FROM: | <img alt="critical: 4" src="https://img.shields.io/badge/critical-4-8b1924"/>    | <img alt="high: 29" src="https://img.shields.io/badge/high-29-e25d68"/> | <img alt="medium: 36" src="https://img.shields.io/badge/medium-36-fbb552"/> | <img alt="low: 9" src="https://img.shields.io/badge/low-9-fce1a9"/> | <img alt="unspecified: 1" src="https://img.shields.io/badge/unspecified-1-lightgrey"/> |
+| :---- | :------------------------------------------------------------------------------- | :---------------------------------------------------------------------- | :-------------------------------------------------------------------------- | :------------------------------------------------------------------ | :------------------------------------------------------------------------------------- |
+| TO:   | <img alt="critical: 0" src="https://img.shields.io/badge/critical-0-lightgrey"/> | <img alt="high: 6" src="https://img.shields.io/badge/high-6-e25d68"/>   | <img alt="medium: 8" src="https://img.shields.io/badge/medium-8-fbb552"/>   | <img alt="low: 1" src="https://img.shields.io/badge/low-1-fce1a9"/> | <img alt="unspecified: 1" src="https://img.shields.io/badge/unspecified-1-lightgrey"/> |
+
+The `scout` reports can be viewed in details: 
+- [scan-before-fixes](scan-before-fixes.md)
+- [scan-after-fixes](scan-after-fixes.md)
+
+[unfixed-vulnerabilities](unfixed-vulnerabilities.md) has been written to explain the last vulnerabilities that hove not been fixed and why.
+
+### Summary of Changes
+
+The changes made during the project have been documented in [summary-of-changes](summary-of-changes.md). A detailed example on how we solved vulnerabilities is also described.
+
+### Testing
+Running `mvn clean verify` after our changes returns the same output.
+
+## Appendix
+
+### `docker scout` helloworld output
+
+[Return](#docker-scout-helloworld-example) to `docker scout` helloworld
+
+<details>
+   
+   <summary> Output from scout should be something similar to this: </summary>
+
+   ```bash
+      ✓ Image stored for indexing
+      ✓ Indexed 160 packages
+      ✓ Provenance obtained from attestation
+      ✗ Detected 8 vulnerable packages with a total of 10 vulnerabilities
+
+
+   ## Overview
+
+                      │         Analyzed Image          
+   ───────────────────┼─────────────────────────────────
+    Target            │  scout_hello_world_img:latest   
+      digest          │  65884f6905ea                   
+      platform        │ linux/amd64                     
+      vulnerabilities │    0C     0H     2M     8L      
+      size            │ 73 MB                           
+      packages        │ 160                             
+
+
+   ## Packages and Vulnerabilities
+
+      0C     0H     1M     0L  pam 1.5.3-5ubuntu5.5
+   pkg:deb/ubuntu/pam@1.5.3-5ubuntu5.5?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ MEDIUM CVE-2025-8941
+         https://scout.docker.com/v/CVE-2025-8941
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+      0C     0H     1M     0L  tar 1.35+dfsg-3build1
+   pkg:deb/ubuntu/tar@1.35%2Bdfsg-3build1?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ MEDIUM CVE-2025-45582
+         https://scout.docker.com/v/CVE-2025-45582
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+      0C     0H     0M     3L  curl 8.5.0-2ubuntu10.6
+   pkg:deb/ubuntu/curl@8.5.0-2ubuntu10.6?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2025-9086
+         https://scout.docker.com/v/CVE-2025-9086
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+      ✗ LOW CVE-2025-10148
+         https://scout.docker.com/v/CVE-2025-10148
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+      ✗ LOW CVE-2025-0167
+         https://scout.docker.com/v/CVE-2025-0167
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+      0C     0H     0M     1L  libgcrypt20 1.10.3-2build1
+   pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2024-2236
+         https://scout.docker.com/v/CVE-2024-2236
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+      0C     0H     0M     1L  coreutils 9.4-3ubuntu6.1
+   pkg:deb/ubuntu/coreutils@9.4-3ubuntu6.1?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2016-2781
+         https://scout.docker.com/v/CVE-2016-2781
+         Affected range : >=0                                           
+         Fixed version  : not fixed                                     
+         CVSS Score     : 6.5                                           
+         CVSS Vector    : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N  
+      
+
+      0C     0H     0M     1L  shadow 1:4.13+dfsg1-4ubuntu3.2
+   pkg:deb/ubuntu/shadow@1%3A4.13%2Bdfsg1-4ubuntu3.2?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2024-56433
+         https://scout.docker.com/v/CVE-2024-56433
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+      0C     0H     0M     1L  gnupg2 2.4.4-2ubuntu17.3
+   pkg:deb/ubuntu/gnupg2@2.4.4-2ubuntu17.3?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2022-3219
+         https://scout.docker.com/v/CVE-2022-3219
+         Affected range : >=0                                           
+         Fixed version  : not fixed                                     
+         CVSS Score     : 3.3                                           
+         CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L  
+      
+
+      0C     0H     0M     1L  openssl 3.0.13-0ubuntu3.6
+   pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.6?os_distro=noble&os_name=ubuntu&os_version=24.04
+
+      ✗ LOW CVE-2024-41996
+         https://scout.docker.com/v/CVE-2024-41996
+         Affected range : >=0        
+         Fixed version  : not fixed  
+      
+
+
+   10 vulnerabilities found in 8 packages
+   CRITICAL  0  
+   HIGH      0  
+   MEDIUM    2  
+   LOW       8  
+
+
+   What's next:
+      View base image update recommendations → docker scout recommendations scout_hello_world_img:latest
+
+
+   ```
+
+</details>
+
+### Output of `mvn dependency:tree` before any change
+
+[Return](#upgrading-the-related-package) to solving vulnerabilities. \
+[Return](./summary-of-changes/README.md#detailed-example-orgapachezookeeperzookeeper) to zookeeper example.
+
+<details>
+
+   <summary>terminal output</summary>
+
+   ```bash
+   [INFO] org.apache.systemds:systemds:jar:3.4.0-SNAPSHOT
+   [INFO] +- org.jcuda:jcuda:jar:12.6.0:provided
+   [INFO] +- org.jcuda:jcublas:jar:12.6.0:provided
+   [INFO] +- org.jcuda:jcusparse:jar:12.6.0:provided
+   [INFO] +- org.jcuda:jcusolver:jar:12.6.0:provided
+   [INFO] +- org.jcuda:jcudnn:jar:12.6.0:provided
+   [INFO] +- org.jcuda:jcuda-natives:jar:windows-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcublas-natives:jar:windows-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcusparse-natives:jar:windows-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcusolver-natives:jar:windows-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcudnn-natives:jar:windows-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcuda-natives:jar:linux-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcublas-natives:jar:linux-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcusparse-natives:jar:linux-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcusolver-natives:jar:linux-x86_64:12.6.0:provided
+   [INFO] +- org.jcuda:jcudnn-natives:jar:linux-x86_64:12.6.0:provided
+   [INFO] +- org.apache.spark:spark-core_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.avro:avro:jar:1.11.2:compile
+   [INFO] |  +- org.apache.avro:avro-mapred:jar:1.11.2:compile
+   [INFO] |  |  \- org.apache.avro:avro-ipc:jar:1.11.2:compile
+   [INFO] |  |     \- org.tukaani:xz:jar:1.9:compile
+   [INFO] |  +- com.twitter:chill_2.12:jar:0.10.0:compile
+   [INFO] |  |  \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
+   [INFO] |  |     \- com.esotericsoftware:minlog:jar:1.3.0:compile
+   [INFO] |  +- com.twitter:chill-java:jar:0.10.0:compile
+   [INFO] |  +- org.apache.xbean:xbean-asm9-shaded:jar:4.23:compile
+   [INFO] |  +- org.apache.spark:spark-launcher_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-kvstore_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-network-common_2.12:jar:3.5.0:compile
+   [INFO] |  |  \- com.google.crypto.tink:tink:jar:1.9.0:compile
+   [INFO] |  |     \- joda-time:joda-time:jar:2.12.5:compile
+   [INFO] |  +- org.apache.spark:spark-network-shuffle_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-unsafe_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-common-utils_2.12:jar:3.5.0:compile
+   [INFO] |  +- javax.activation:activation:jar:1.1.1:compile
+   [INFO] |  +- org.apache.curator:curator-recipes:jar:2.13.0:compile
+   [INFO] |  |  \- org.apache.curator:curator-framework:jar:2.13.0:compile
+   [INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile
+   [INFO] |  |  +- org.apache.zookeeper:zookeeper-jute:jar:3.6.3:compile
+   [INFO] |  |  \- org.apache.yetus:audience-annotations:jar:0.5.0:compile
+   [INFO] |  +- jakarta.servlet:jakarta.servlet-api:jar:4.0.3:compile
+   [INFO] |  +- commons-codec:commons-codec:jar:1.16.0:compile
+   [INFO] |  +- org.apache.commons:commons-compress:jar:1.23.0:compile
+   [INFO] |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
+   [INFO] |  +- org.apache.commons:commons-text:jar:1.10.0:compile
+   [INFO] |  +- commons-io:commons-io:jar:2.13.0:compile
+   [INFO] |  +- commons-collections:commons-collections:jar:3.2.2:compile
+   [INFO] |  +- org.apache.commons:commons-collections4:jar:4.4:compile
+   [INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.0:compile
+   [INFO] |  +- com.ning:compress-lzf:jar:1.1.2:compile
+   [INFO] |  +- org.xerial.snappy:snappy-java:jar:1.1.10.3:compile
+   [INFO] |  +- org.lz4:lz4-java:jar:1.8.0:compile
+   [INFO] |  +- com.github.luben:zstd-jni:jar:1.5.5-4:compile
+   [INFO] |  +- org.roaringbitmap:RoaringBitmap:jar:0.9.45:compile
+   [INFO] |  |  \- org.roaringbitmap:shims:jar:0.9.45:runtime
+   [INFO] |  +- org.scala-lang.modules:scala-xml_2.12:jar:2.1.0:compile
+   [INFO] |  +- org.scala-lang:scala-library:jar:2.12.18:compile
+   [INFO] |  +- org.scala-lang:scala-reflect:jar:2.12.18:compile
+   [INFO] |  +- org.json4s:json4s-jackson_2.12:jar:3.7.0-M11:compile
+   [INFO] |  |  \- org.json4s:json4s-core_2.12:jar:3.7.0-M11:compile
+   [INFO] |  |     +- org.json4s:json4s-ast_2.12:jar:3.7.0-M11:compile
+   [INFO] |  |     \- org.json4s:json4s-scalap_2.12:jar:3.7.0-M11:compile
+   [INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.40:compile
+   [INFO] |  |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
+   [INFO] |  |  \- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:compile
+   [INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.40:compile
+   [INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
+   [INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
+   [INFO] |  +- org.glassfish.jersey.core:jersey-server:jar:2.40:compile
+   [INFO] |  |  \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
+   [INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.40:compile
+   [INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.40:compile
+   [INFO] |  +- org.glassfish.jersey.inject:jersey-hk2:jar:2.40:compile
+   [INFO] |  |  +- org.glassfish.hk2:hk2-locator:jar:2.6.1:compile
+   [INFO] |  |  |  +- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.6.1:compile
+   [INFO] |  |  |  +- org.glassfish.hk2:hk2-api:jar:2.6.1:compile
+   [INFO] |  |  |  \- org.glassfish.hk2:hk2-utils:jar:2.6.1:compile
+   [INFO] |  |  \- org.javassist:javassist:jar:3.29.2-GA:compile
+   [INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-native-epoll:jar:linux-aarch_64:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-native-kqueue:jar:osx-aarch_64:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.96.Final:compile
+   [INFO] |  +- com.clearspring.analytics:stream:jar:2.9.6:compile
+   [INFO] |  +- io.dropwizard.metrics:metrics-core:jar:4.2.19:compile
+   [INFO] |  +- io.dropwizard.metrics:metrics-jvm:jar:4.2.19:compile
+   [INFO] |  +- io.dropwizard.metrics:metrics-json:jar:4.2.19:compile
+   [INFO] |  +- io.dropwizard.metrics:metrics-graphite:jar:4.2.19:compile
+   [INFO] |  +- io.dropwizard.metrics:metrics-jmx:jar:4.2.19:compile
+   [INFO] |  +- com.fasterxml.jackson.module:jackson-module-scala_2.12:jar:2.15.2:compile
+   [INFO] |  |  \- com.thoughtworks.paranamer:paranamer:jar:2.8:compile
+   [INFO] |  +- org.apache.ivy:ivy:jar:2.5.1:compile
+   [INFO] |  +- oro:oro:jar:2.0.8:compile
+   [INFO] |  +- net.razorvine:pickle:jar:1.3:compile
+   [INFO] |  +- org.apache.spark:spark-tags_2.12:jar:3.5.0:compile
+   [INFO] |  \- org.apache.commons:commons-crypto:jar:1.1.0:compile
+   [INFO] +- org.apache.spark:spark-sql_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.rocksdb:rocksdbjni:jar:8.3.2:compile
+   [INFO] |  +- com.univocity:univocity-parsers:jar:2.9.1:compile
+   [INFO] |  +- org.apache.spark:spark-sketch_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-catalyst_2.12:jar:3.5.0:compile
+   [INFO] |  |  +- org.apache.spark:spark-sql-api_2.12:jar:3.5.0:compile
+   [INFO] |  |  |  +- org.apache.arrow:arrow-vector:jar:12.0.1:compile
+   [INFO] |  |  |  |  +- org.apache.arrow:arrow-format:jar:12.0.1:compile
+   [INFO] |  |  |  |  +- org.apache.arrow:arrow-memory-core:jar:12.0.1:compile
+   [INFO] |  |  |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.1:compile
+   [INFO] |  |  |  |  \- com.google.flatbuffers:flatbuffers-java:jar:1.12.0:compile
+   [INFO] |  |  |  \- org.apache.arrow:arrow-memory-netty:jar:12.0.1:compile
+   [INFO] |  |  \- org.apache.datasketches:datasketches-java:jar:3.3.0:compile
+   [INFO] |  |     \- org.apache.datasketches:datasketches-memory:jar:2.1.0:compile
+   [INFO] |  +- org.apache.orc:orc-core:jar:shaded-protobuf:1.9.1:compile
+   [INFO] |  |  +- org.apache.orc:orc-shims:jar:1.9.1:compile
+   [INFO] |  |  +- io.airlift:aircompressor:jar:0.25:compile
+   [INFO] |  |  +- org.jetbrains:annotations:jar:17.0.0:compile
+   [INFO] |  |  \- org.threeten:threeten-extra:jar:1.7.1:compile
+   [INFO] |  +- org.apache.orc:orc-mapreduce:jar:shaded-protobuf:1.9.1:compile
+   [INFO] |  +- org.apache.hive:hive-storage-api:jar:2.8.1:compile
+   [INFO] |  +- org.apache.parquet:parquet-column:jar:1.13.1:compile
+   [INFO] |  |  +- org.apache.parquet:parquet-common:jar:1.13.1:compile
+   [INFO] |  |  \- org.apache.parquet:parquet-encoding:jar:1.13.1:compile
+   [INFO] |  \- org.apache.parquet:parquet-hadoop:jar:1.13.1:compile
+   [INFO] |     +- org.apache.parquet:parquet-format-structures:jar:1.13.1:compile
+   [INFO] |     \- org.apache.parquet:parquet-jackson:jar:1.13.1:runtime
+   [INFO] +- org.apache.spark:spark-mllib_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.scala-lang.modules:scala-parser-combinators_2.12:jar:2.3.0:compile
+   [INFO] |  +- org.apache.spark:spark-streaming_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.apache.spark:spark-graphx_2.12:jar:3.5.0:compile
+   [INFO] |  |  \- net.sourceforge.f2j:arpack_combined_all:jar:0.1:compile
+   [INFO] |  +- org.apache.spark:spark-mllib-local_2.12:jar:3.5.0:compile
+   [INFO] |  +- org.scalanlp:breeze_2.12:jar:2.1.0:compile
+   [INFO] |  |  +- org.scalanlp:breeze-macros_2.12:jar:2.1.0:compile
+   [INFO] |  |  +- net.sf.opencsv:opencsv:jar:2.3:compile
+   [INFO] |  |  +- com.github.wendykierp:JTransforms:jar:3.1:compile
+   [INFO] |  |  |  \- pl.edu.icm:JLargeArrays:jar:1.5:compile
+   [INFO] |  |  +- org.scala-lang.modules:scala-collection-compat_2.12:jar:2.7.0:compile
+   [INFO] |  |  \- org.typelevel:spire_2.12:jar:0.17.0:compile
+   [INFO] |  |     +- org.typelevel:spire-macros_2.12:jar:0.17.0:compile
+   [INFO] |  |     +- org.typelevel:spire-platform_2.12:jar:0.17.0:compile
+   [INFO] |  |     +- org.typelevel:spire-util_2.12:jar:0.17.0:compile
+   [INFO] |  |     \- org.typelevel:algebra_2.12:jar:2.0.1:compile
+   [INFO] |  |        \- org.typelevel:cats-kernel_2.12:jar:2.1.1:compile
+   [INFO] |  +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.2:compile
+   [INFO] |  |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
+   [INFO] |  |  \- com.sun.istack:istack-commons-runtime:jar:3.0.8:compile
+   [INFO] |  +- dev.ludovic.netlib:blas:jar:3.0.3:compile
+   [INFO] |  +- dev.ludovic.netlib:lapack:jar:3.0.3:compile
+   [INFO] |  \- dev.ludovic.netlib:arpack:jar:3.0.3:compile
+   [INFO] +- org.apache.hadoop:hadoop-common:jar:3.3.6:compile
+   [INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_7:jar:1.1.1:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-annotations:jar:3.3.6:compile
+   [INFO] |  +- org.apache.hadoop.thirdparty:hadoop-shaded-guava:jar:1.1.1:compile
+   [INFO] |  +- com.google.guava:guava:jar:27.0-jre:compile
+   [INFO] |  |  +- com.google.guava:failureaccess:jar:1.0:compile
+   [INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
+   [INFO] |  |  +- org.checkerframework:checker-qual:jar:2.5.2:compile
+   [INFO] |  |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
+   [INFO] |  +- commons-cli:commons-cli:jar:1.2:compile
+   [INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
+   [INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
+   [INFO] |  +- commons-net:commons-net:jar:3.9.0:compile
+   [INFO] |  +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
+   [INFO] |  +- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
+   [INFO] |  +- org.eclipse.jetty:jetty-server:jar:9.4.51.v20230217:compile
+   [INFO] |  |  +- org.eclipse.jetty:jetty-http:jar:9.4.51.v20230217:compile
+   [INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:9.4.51.v20230217:compile
+   [INFO] |  +- org.eclipse.jetty:jetty-util:jar:9.4.51.v20230217:compile
+   [INFO] |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.51.v20230217:compile
+   [INFO] |  |  \- org.eclipse.jetty:jetty-security:jar:9.4.51.v20230217:compile
+   [INFO] |  +- org.eclipse.jetty:jetty-webapp:jar:9.4.51.v20230217:compile
+   [INFO] |  |  \- org.eclipse.jetty:jetty-xml:jar:9.4.51.v20230217:compile
+   [INFO] |  +- javax.servlet.jsp:jsp-api:jar:2.1:runtime
+   [INFO] |  +- com.sun.jersey:jersey-core:jar:1.19.4:compile
+   [INFO] |  |  \- javax.ws.rs:jsr311-api:jar:1.1.1:compile
+   [INFO] |  +- com.sun.jersey:jersey-servlet:jar:1.19.4:compile
+   [INFO] |  +- com.github.pjfanning:jersey-json:jar:1.20:compile
+   [INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.1:compile
+   [INFO] |  |  \- com.sun.xml.bind:jaxb-impl:jar:2.2.3-1:compile
+   [INFO] |  +- com.sun.jersey:jersey-server:jar:1.19.4:compile
+   [INFO] |  +- ch.qos.reload4j:reload4j:jar:1.2.22:compile
+   [INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
+   [INFO] |  +- org.apache.commons:commons-configuration2:jar:2.8.0:compile
+   [INFO] |  +- com.google.re2j:re2j:jar:1.1:compile
+   [INFO] |  +- com.google.code.gson:gson:jar:2.9.0:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-auth:jar:3.3.6:compile
+   [INFO] |  |  +- com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile
+   [INFO] |  |  \- org.apache.kerby:kerb-simplekdc:jar:1.0.1:compile
+   [INFO] |  |     +- org.apache.kerby:kerb-client:jar:1.0.1:compile
+   [INFO] |  |     |  +- org.apache.kerby:kerby-config:jar:1.0.1:compile
+   [INFO] |  |     |  +- org.apache.kerby:kerb-common:jar:1.0.1:compile
+   [INFO] |  |     |  |  \- org.apache.kerby:kerb-crypto:jar:1.0.1:compile
+   [INFO] |  |     |  +- org.apache.kerby:kerb-util:jar:1.0.1:compile
+   [INFO] |  |     |  \- org.apache.kerby:token-provider:jar:1.0.1:compile
+   [INFO] |  |     \- org.apache.kerby:kerb-admin:jar:1.0.1:compile
+   [INFO] |  |        +- org.apache.kerby:kerb-server:jar:1.0.1:compile
+   [INFO] |  |        |  \- org.apache.kerby:kerb-identity:jar:1.0.1:compile
+   [INFO] |  |        \- org.apache.kerby:kerby-xdr:jar:1.0.1:compile
+   [INFO] |  +- com.jcraft:jsch:jar:0.1.55:compile
+   [INFO] |  +- org.apache.curator:curator-client:jar:5.2.0:compile
+   [INFO] |  +- org.apache.kerby:kerb-core:jar:1.0.1:compile
+   [INFO] |  |  \- org.apache.kerby:kerby-pkix:jar:1.0.1:compile
+   [INFO] |  |     +- org.apache.kerby:kerby-asn1:jar:1.0.1:compile
+   [INFO] |  |     \- org.apache.kerby:kerby-util:jar:1.0.1:compile
+   [INFO] |  +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
+   [INFO] |  +- com.fasterxml.woodstox:woodstox-core:jar:5.4.0:compile
+   [INFO] |  \- dnsjava:dnsjava:jar:2.1.7:compile
+   [INFO] +- org.apache.hadoop:hadoop-hdfs:jar:3.3.6:compile
+   [INFO] |  +- org.eclipse.jetty:jetty-util-ajax:jar:9.4.51.v20230217:compile
+   [INFO] |  +- commons-daemon:commons-daemon:jar:1.0.13:compile
+   [INFO] |  +- io.netty:netty:jar:3.10.6.Final:compile
+   [INFO] |  \- org.fusesource.leveldbjni:leveldbjni-all:jar:1.8:compile
+   [INFO] +- org.apache.hadoop:hadoop-client:jar:3.3.6:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-hdfs-client:jar:3.3.6:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-yarn-api:jar:3.3.6:compile
+   [INFO] |  |  \- javax.xml.bind:jaxb-api:jar:2.2.11:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-yarn-client:jar:3.3.6:compile
+   [INFO] |  |  +- org.eclipse.jetty.websocket:websocket-client:jar:9.4.51.v20230217:compile
+   [INFO] |  |  |  +- org.eclipse.jetty:jetty-client:jar:9.4.51.v20230217:compile
+   [INFO] |  |  |  \- org.eclipse.jetty.websocket:websocket-common:jar:9.4.51.v20230217:compile
+   [INFO] |  |  |     \- org.eclipse.jetty.websocket:websocket-api:jar:9.4.51.v20230217:compile
+   [INFO] |  |  \- org.jline:jline:jar:3.9.0:compile
+   [INFO] |  +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:3.3.6:compile
+   [INFO] |  |  \- org.apache.hadoop:hadoop-yarn-common:jar:3.3.6:compile
+   [INFO] |  |     +- com.sun.jersey:jersey-client:jar:1.19.4:compile
+   [INFO] |  |     +- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.12.7:compile
+   [INFO] |  |     \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.12.7:compile
+   [INFO] |  |        \- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.12.7:compile
+   [INFO] |  \- org.apache.hadoop:hadoop-mapreduce-client-jobclient:jar:3.3.6:compile
+   [INFO] |     \- org.apache.hadoop:hadoop-mapreduce-client-common:jar:3.3.6:compile
+   [INFO] +- commons-logging:commons-logging:jar:1.1.3:compile
+   [INFO] +- org.apache.commons:commons-math3:jar:3.4.1:compile
+   [INFO] +- org.apache.wink:wink-json4j:jar:1.4:compile
+   [INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.2:compile
+   [INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.2:compile
+   [INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.15.2:compile
+   [INFO] +- junit:junit:jar:4.13.1:provided
+   [INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:provided
+   [INFO] +- org.openjdk.jol:jol-core:jar:0.10:test
+   [INFO] +- org.mockito:mockito-core:jar:5.1.0:test
+   [INFO] |  +- net.bytebuddy:byte-buddy:jar:1.12.22:test
+   [INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.22:test
+   [INFO] |  \- org.objenesis:objenesis:jar:3.3:compile
+   [INFO] +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:test
+   [INFO] +- org.codehaus.janino:janino:jar:3.1.9:provided
+   [INFO] |  \- org.codehaus.janino:commons-compiler:jar:3.1.9:compile
+   [INFO] +- org.antlr:antlr4:jar:4.8:provided
+   [INFO] |  +- org.antlr:ST4:jar:4.3:provided
+   [INFO] |  +- org.abego.treelayout:org.abego.treelayout.core:jar:1.0.3:provided
+   [INFO] |  +- org.glassfish:javax.json:jar:1.0.4:provided
+   [INFO] |  \- com.ibm.icu:icu4j:jar:61.1:provided
+   [INFO] +- org.antlr:antlr4-runtime:jar:4.8:compile
+   [INFO] +- org.apache.derby:derby:jar:10.14.2.0:provided
+   [INFO] +- io.netty:netty-all:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-buffer:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-dns:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-haproxy:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-http:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-http2:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-memcache:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-mqtt:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-redis:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-smtp:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-socks:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-stomp:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-codec-xml:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-common:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-handler:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-native-unix-common:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-handler-ssl-ocsp:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-resolver:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-rxtx:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-sctp:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-udt:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-classes-epoll:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-transport-classes-kqueue:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-resolver-dns-classes-macos:jar:4.1.96.Final:compile
+   [INFO] |  +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.96.Final:runtime
+   [INFO] |  \- io.netty:netty-resolver-dns-native-macos:jar:osx-aarch_64:4.1.96.Final:runtime
+   [INFO] +- net.sf.py4j:py4j:jar:0.10.9:compile
+   [INFO] +- com.google.protobuf:protobuf-java:jar:3.23.4:compile
+   [INFO] +- com.google.protobuf:protobuf-java-util:jar:3.23.4:compile
+   [INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.18.0:compile
+   [INFO] |  \- com.google.j2objc:j2objc-annotations:jar:2.8:compile
+   [INFO] +- org.slf4j:slf4j-api:jar:2.0.11:compile
+   [INFO] +- org.slf4j:slf4j-reload4j:jar:2.0.11:compile
+   [INFO] +- org.slf4j:jul-to-slf4j:jar:2.0.11:compile
+   [INFO] +- org.slf4j:jcl-over-slf4j:jar:2.0.11:compile
+   [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.22.1:compile
+   [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.22.1:compile
+   [INFO] \- ch.randelshofer:fastdoubleparser:jar:0.9.0:compile
+   [INFO] ------------------------------------------------------------------------
+   [INFO] BUILD SUCCESS
+   [INFO] ------------------------------------------------------------------------
+   [INFO] Total time:  59.447 s
+   [INFO] Finished at: 2025-12-08T10:24:00+01:00
+   [INFO] ------------------------------------------------------------------------
+   ```
+</details>
diff --git a/docker/SYSTEMDS-3878/scan-after-fixes.md b/docker/SYSTEMDS-3878/scan-after-fixes.md
new file mode 100644
index 00000000000..e1c13bfe133
--- /dev/null
+++ b/docker/SYSTEMDS-3878/scan-after-fixes.md
@@ -0,0 +1,578 @@
+<!-- 
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# 
+-->
+
+[Return](README.md#student-project-systemds-3878) to SYSTEMDS-3878.
+
+    i New version 1.19.0 available (installed version is 1.18.3) at https://github.com/docker/scout-cli
+    ✓ Image stored for indexing
+    ✓ Indexed 343 packages
+    ✓ Provenance obtained from attestation
+    ✗ Detected 8 vulnerable packages with a total of 16 vulnerabilities
+    ✓ Report written to docker/scout_results/sysds_output_pom.md
+<h2>:mag: Vulnerabilities of <code>apache/systemds:latest</code></h2>
+
+<details open="true"><summary>:package: Image Reference</strong> <code>apache/systemds:latest</code></summary>
+<table>
+<tr><td>digest</td><td><code>sha256:1af186012d56c06816edfe03044d9250fb189a79769935184fb82892ce7509f3</code></td><tr><tr><td>vulnerabilities</td><td><img alt="critical: 0" src="https://img.shields.io/badge/critical-0-lightgrey"/> <img alt="high: 6" src="https://img.shields.io/badge/high-6-e25d68"/> <img alt="medium: 8" src="https://img.shields.io/badge/medium-8-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/low-1-fce1a9"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/unspecified-1-lightgrey"/></td></tr>
+<tr><td>platform</td><td>linux/amd64</td></tr>
+<tr><td>size</td><td>378 MB</td></tr>
+<tr><td>packages</td><td>343</td></tr>
+</table>
+</details></table>
+</details>
+
+<table>
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 4" src="https://img.shields.io/badge/H-4-e25d68"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.google.protobuf/protobuf-java</strong> <code>3.7.1</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.protobuf/protobuf-java@3.7.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-7254?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.25.5"><img alt="high 8.7: CVE--2024--7254" src="https://img.shields.io/badge/CVE--2024--7254-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.25.5</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.25.5</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.085%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>25th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
+
+Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
+
+Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
+
+### Severity
+[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
+This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
+
+### Proof of Concept
+For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.
+
+### Remediation and Mitigation
+We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:
+* protobuf-java (3.25.5, 4.27.5, 4.28.2)
+* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
+* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3510?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3E%3D3.0.0%2C%3C3.16.3"><img alt="high 7.5: CVE--2022--3510" src="https://img.shields.io/badge/CVE--2022--3510-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.0.0<br/><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.073%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3509?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3E%3D3.0.0%2C%3C3.16.3"><img alt="high 7.5: CVE--2022--3509" src="https://img.shields.io/badge/CVE--2022--3509-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.0.0<br/><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.131%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-22569?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.16.1"><img alt="high 7.5: CVE--2021--22569" src="https://img.shields.io/badge/CVE--2021--22569-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Incorrect Behavior Order</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.16.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.291%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>52nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+
+A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
+
+Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)
+
+Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
+
+## Severity
+
+[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5,  An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
+
+## Proof of Concept
+
+For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
+
+## Remediation and Mitigation
+
+Please update to the latest available versions of the following packages:
+
+- protobuf-java (3.16.1, 3.18.2, 3.19.2) 
+- protobuf-kotlin (3.18.2, 3.19.2)
+- google-protobuf [JRuby  gem only] (3.19.2) 
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3171?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.16.3"><img alt="medium 5.7: CVE--2022--3171" src="https://img.shields.io/badge/CVE--2022--3171-lightgrey?label=medium%205.7&labelColor=fbb552"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.083%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>24th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. 
+
+Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)
+
+Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
+
+## Severity
+
+[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
+
+## Remediation and Mitigation
+
+Please update to the latest available versions of the following packages:
+
+protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-22570?s=gitlab&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.15.0"><img alt="medium 5.5: CVE--2021--22570" src="https://img.shields.io/badge/CVE--2021--22570-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.15.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.15.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.150%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>36th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-server</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-13009?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.4.0%2C%3C%3D9.4.56"><img alt="high 7.2: CVE--2024--13009" src="https://img.shields.io/badge/CVE--2024--13009-lightgrey?label=high%207.2&labelColor=e25d68"/></a> <i>Improper Resource Shutdown or Release</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.4.0<br/><=9.4.56</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.57.v20241219</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.130%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-8184?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.3.12%2C%3C%3D9.4.55"><img alt="medium 5.9: CVE--2024--8184" src="https://img.shields.io/badge/CVE--2024--8184-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.3.12<br/><=9.4.55</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.56</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.487%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>81st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+Remote DOS attack can cause out of memory 
+
+### Description
+There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which
+can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By
+repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
+server's memory.
+
+### Affected Versions
+
+* Jetty 12.0.0-12.0.8 (Supported)
+* Jetty 11.0.0-11.0.23 (EOL)
+* Jetty 10.0.0-10.0.23 (EOL)
+* Jetty 9.3.12-9.4.55 (EOL)
+
+### Patched Versions
+
+* Jetty 12.0.9
+* Jetty 11.0.24
+* Jetty 10.0.24
+* Jetty 9.4.56
+
+### Workarounds
+
+Do not use `ThreadLimitHandler`.  
+Consider use of `QoSHandler` instead to artificially limit resource utilization.
+
+### References
+
+Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.fasterxml.jackson.core/jackson-core</strong> <code>2.13.4</code> (maven)</summary>
+
+<small><code>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.4</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-52999?s=github&n=jackson-core&ns=com.fasterxml.jackson.core&t=maven&vr=%3C2.15.0"><img alt="high 8.7: CVE--2025--52999" src="https://img.shields.io/badge/CVE--2025--52999-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Stack-based Buffer Overflow</i>
+
+<table>
+<tr><td>Affected range</td><td><code><2.15.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.15.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.033%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>9th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+With older versions  of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.
+
+### Patches
+jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.
+jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.
+
+### Workarounds
+Users should avoid parsing input files from untrusted sources.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>com.google.guava/guava</strong> <code>14.0.1</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.guava/guava@14.0.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2018-10237?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D11.0%2C%3C24.1.1-android"><img alt="medium 5.9: CVE--2018--10237" src="https://img.shields.io/badge/CVE--2018--10237-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Deserialization of Untrusted Data</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=11.0<br/><24.1.1-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>24.1.1-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>3.259%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>87th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android"><img alt="medium 5.5: CVE--2023--2976" src="https://img.shields.io/badge/CVE--2023--2976-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Creation of Temporary File in Directory with Insecure Permissions</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.0<br/><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.065%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>20th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
+
+Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android"><img alt="low 3.3: CVE--2020--8908" src="https://img.shields.io/badge/CVE--2020--8908-lightgrey?label=low%203.3&labelColor=fce1a9"/></a> <i>Improper Handling of Alternate Encoding</i>
+
+<table>
+<tr><td>Affected range</td><td><code><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.072%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>busybox</strong> <code>1.36.1-r31</code> (apk)</summary>
+
+<small><code>pkg:apk/alpine/busybox@1.36.1-r31?os_name=alpine&os_version=3.20</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-60876?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C%3D1.36.1-r31"><img alt="medium : CVE--2025--60876" src="https://img.shields.io/badge/CVE--2025--60876-lightgrey?label=medium%20&labelColor=fbb552"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><=1.36.1-r31</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>EPSS Score</td><td><code>0.052%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>16th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-servlets</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-9823?s=github&n=jetty-servlets&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C9.4.54"><img alt="medium 5.3: CVE--2024--9823" src="https://img.shields.io/badge/CVE--2024--9823-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><9.4.54</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.54</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.591%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>69th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Description
+There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
+
+
+Vulnerability details
+The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server.  The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds.  The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.
+
+
+Impact
+Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.
+
+
+Patches
+The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.
+
+
+Patched releases:
+
+  *  9.4.54
+  *  10.0.18
+  *  11.0.18
+  *  12.0.3
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-http</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-http@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-6763?s=github&n=jetty-http&ns=org.eclipse.jetty&t=maven&vr=%3E%3D7.0.0%2C%3C%3D12.0.11"><img alt="medium 6.3: CVE--2024--6763" src="https://img.shields.io/badge/CVE--2024--6763-lightgrey?label=medium%206.3&labelColor=fbb552"/></a> <i>Improper Validation of Syntactic Correctness of Input</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=7.0.0<br/><=12.0.11</code></td></tr>
+<tr><td>Fixed version</td><td><code>12.0.12</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.022%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>77th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+
+Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing.
+
+The `HttpURI` class does insufficient validation on the authority segment of a URI.  However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC.  Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
+
+## Details
+
+### Affected components
+
+The vulnerable component is the `HttpURI` class when used as a utility class in an application.  The Jetty usage of the class is not vulnerable.
+
+### Attack overview
+
+The `HttpURI` class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password#@hostname:port), then the parsing of the URI is not failed.  Moreover, the interpretation of what part of the authority is the host name differs from a common browser in  that they also do not fail, but they select a different host name from the illegal URI.
+
+### Attack scenario
+
+A typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI.
+
+This attack occurs when the Validator is the `org.eclipse.jetty.http.HttpURI` class and the Requester is the `Browser` (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., `http://browser.check%23%40vulndetector.com/` ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname `vulndetector.com`.
+
+## PoC
+
+payloads:
+
+```
+http://browser.check &@vulndetector.com/
+http://browser.check #@vulndetector.com/
+http://browser.check?@vulndetector.com/
+http://browser.check#@vulndetector.com/
+http://vulndetector.com\\/
+```
+
+The problem of 302 redirect parsing in HTML tag scenarios. Below is a poc example. After clicking the button, the browser will open "browser.check", and jetty will parse this URL as "vulndetector.com".
+
+```
+<a href="http://browser.check#@vulndetector.com/"></a>
+```
+A comparison of the parsing differences between Jetty and chrome is shown in the table below (note that neither should accept the URI as valid).
+
+| Invalid URI                                       | Jetty            | Chrome        |
+| ---------------------------------------------- | ---------------- | ------------- |
+| http://browser.check &@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check #@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check?@vulndetector.com/    | vulndetector.com | browser.check |
+| http://browser.check#@vulndetector.com/    | vulndetector.com | browser.check |
+
+The problem of 302 redirect parsing in HTTP 302 Location
+
+| Input                    | Jetty          | Chrome        |
+| ------------------------ | -------------- | ------------- |
+| http://browser.check%5c/ | browser.check\ | browser.check |
+
+It is noteworthy that Spring Web also faced similar security vulnerabilities, being affected by the aforementioned four types of payloads. These issues have since been resolved and have been assigned three CVE numbers [3-5].
+
+## Impact
+
+The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly.  Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section.  The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to **SSRF**[1] and **URL Redirection**[2] vulnerabilities in several cases. 
+
+## Mitigation
+
+The attacks outlined above rely on decoded user data being passed to the `HttpURI` class. Application should not pass decoded user data as an encoded URI to any URI class/method, including `HttpURI`.  Such applications are likely to be vulnerable in other ways. 
+The immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority.  Ultimately, Jetty will deprecate and remove support for user info in the authority per [RFC9110 Section 4.2.4](https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4). 
+
+Note that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).
+
+## Reference
+
+[1] https://cwe.mitre.org/data/definitions/918.html
+[2] https://cwe.mitre.org/data/definitions/601.html
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>lz4</strong> <code>1.9.4-r5</code> (apk)</summary>
+
+<small><code>pkg:apk/alpine/lz4@1.9.4-r5?os_name=alpine&os_version=3.20</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-62813?s=alpine&n=lz4&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C%3D1.9.4-r5"><img alt="unspecified : CVE--2025--62813" src="https://img.shields.io/badge/CVE--2025--62813-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><=1.9.4-r5</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>EPSS Score</td><td><code>0.018%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>3rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+</table>
+
diff --git a/docker/SYSTEMDS-3878/scan-before-fixes.md b/docker/SYSTEMDS-3878/scan-before-fixes.md
new file mode 100644
index 00000000000..4429e0b68ff
--- /dev/null
+++ b/docker/SYSTEMDS-3878/scan-before-fixes.md
@@ -0,0 +1,2854 @@
+<!-- 
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# 
+-->
+
+[Return](README.md#student-project-systemds-3878) to SYSTEMDS-3878.
+
+<h2>:mag: Vulnerabilities of <code>apache/systemds:latest</code></h2>
+
+<details open="true"><summary>:package: Image Reference</strong> <code>apache/systemds:latest</code></summary>
+<table>
+<tr><td>digest</td><td><code>sha256:a31c3f1962487cf8a1508eaa6de02aef80396cfc2250e9b24544ba21d01bddcc</code></td><tr><tr><td>vulnerabilities</td><td><img alt="critical: 4" src="https://img.shields.io/badge/critical-4-8b1924"/> <img alt="high: 29" src="https://img.shields.io/badge/high-29-e25d68"/> <img alt="medium: 36" src="https://img.shields.io/badge/medium-36-fbb552"/> <img alt="low: 9" src="https://img.shields.io/badge/low-9-fce1a9"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/unspecified-1-lightgrey"/></td></tr>
+<tr><td>platform</td><td>linux/amd64</td></tr>
+<tr><td>size</td><td>380 MB</td></tr>
+<tr><td>packages</td><td>350</td></tr>
+</table>
+</details></table>
+</details>
+
+<table>
+<tr><td valign="top">
+<details><summary><img alt="critical: 1" src="https://img.shields.io/badge/C-1-8b1924"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 5" src="https://img.shields.io/badge/M-5-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty</strong> <code>3.10.6.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty@3.10.6.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2019-20444?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="critical 9.1: CVE--2019--20444" src="https://img.shields.io/badge/CVE--2019--20444-lightgrey?label=critical%209.1&labelColor=8b1924"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>9.1</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>11.096%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>93rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-37137?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="high 7.5: CVE--2021--37137" src="https://img.shields.io/badge/CVE--2021--37137-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>2.383%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>84th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.
+
+This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
+
+### Impact
+
+All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.
+
+### References
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-37136?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="high 7.5: CVE--2021--37136" src="https://img.shields.io/badge/CVE--2021--37136-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.021%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>77th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).
+
+
+All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
+
+### Workarounds
+No workarounds other than not using the `Bzip2Decoder`
+
+### References
+
+Relevant code areas:
+
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
+https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-43797?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="medium 6.5: CVE--2021--43797" src="https://img.shields.io/badge/CVE--2021--43797-lightgrey?label=medium%206.5&labelColor=fbb552"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>6.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.497%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>65th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+
+Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.
+
+Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.
+
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-21290?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="medium 6.2: CVE--2021--21290" src="https://img.shields.io/badge/CVE--2021--21290-lightgrey?label=medium%206.2&labelColor=fbb552"/></a> <i>Creation of Temporary File With Insecure Permissions</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>6.2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.026%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>6th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+
+When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.
+
+The CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1)
+
+### Vulnerability Details
+
+On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.
+
+The method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.
+
+This is the case in netty's `AbstractDiskHttpData` is vulnerable.
+
+https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101
+
+`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.
+
+You may be affected by this vulnerability your project contains the following code patterns:
+
+```java
+channelPipeline.addLast(new HttpPostRequestDecoder(...));
+```
+
+```java
+channelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));
+```
+
+### Patches
+
+This has been patched in version `4.1.59.Final`.
+
+### Workarounds
+
+Specify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.
+
+### References
+
+ - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)
+ - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)
+
+### Similar Vulnerabilities
+
+Similar, but not the same.
+
+ - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
+ - Google Guava - https://github.com/google/guava/issues/4011
+ - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
+ - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824
+
+### For more information
+If you have any questions or comments about this advisory:
+* Open an issue in [netty](https://github.com/netty/netty)
+* Email us [here](mailto:netty-security@googlegroups.com)
+
+### Original Report
+
+> Hi Netty Security Team,
+> 
+> I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:
+> https://lgtm.com/query/7723301787255288599/
+> 
+> Netty contains three local information disclosure vulnerabilities, so far as I can tell.
+> 
+> One is here, where the private key for the certificate is written to a temporary file.
+> 
+> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346
+> 
+> One is here, where the certificate is written to a temporary file.
+> 
+> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371
+> 
+> The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.
+> 
+> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91
+> 
+> All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.
+> 
+> Impacted OS:
+> - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.
+> 
+> Mitigation.
+> 
+> Moving to the `Files` API instead will fix this vulnerability. 
+> https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-
+> 
+> This API will explicitly set the posix file permissions to something safe, by default.
+> 
+> I recently disclosed a similar vulnerability in JUnit 4:
+> https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
+> 
+> If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.
+> https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
+> 
+> I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.
+> https://github.com/netty/netty/security/advisories
+> 
+> This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.
+> 
+> Cheers,
+> Jonathan Leitschuh
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-21409?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="medium 5.9: CVE--2021--21409" src="https://img.shields.io/badge/CVE--2021--21409-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>2.547%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>85th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+The content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1
+
+This is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. 
+
+### Patches
+This was fixed as part of 4.1.61.Final
+
+### Workarounds
+Validation can be done by the user before proxy the request by validating the header.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-21295?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="medium 5.9: CVE--2021--21295" src="https://img.shields.io/badge/CVE--2021--21295-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.360%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>57th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up.  This is fine as long as the request is not proxied through as HTTP/1.1.
+If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.  
+
+In a proxy case, users  may assume the content-length is validated somehow, which is not the case.  If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.
+
+An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1.   A sample attack request looks like:
+
+```
+POST / HTTP/2
+:authority:: externaldomain.com
+Content-Length: 4
+
+asdfGET /evilRedirect HTTP/1.1
+Host: internaldomain.com
+```
+
+Users are only affected if all of this is `true`:
+ * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used
+ * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects
+ * These  HTTP/1.1 objects are forwarded to another remote peer.
+ 
+
+### Patches
+This has been patched in 4.1.60.Final
+
+### Workarounds
+The user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
+
+### References
+Related change to workaround the problem: https://github.com/Netflix/zuul/pull/980 
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2019-20445?s=github&n=netty&ns=io.netty&t=maven&vr=%3C4.0.0"><img alt="medium : CVE--2019--20445" src="https://img.shields.io/badge/CVE--2019--20445-lightgrey?label=medium%20&labelColor=fbb552"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.0.0</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>EPSS Score</td><td><code>2.837%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>86th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 1" src="https://img.shields.io/badge/C-1-8b1924"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.avro/avro</strong> <code>1.11.2</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.avro/avro@1.11.2</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-47561?s=github&n=avro&ns=org.apache.avro&t=maven&vr=%3C1.11.4"><img alt="critical 9.3: CVE--2024--47561" src="https://img.shields.io/badge/CVE--2024--47561-lightgrey?label=critical%209.3&labelColor=8b1924"/></a> <i>Deserialization of Untrusted Data</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.11.4</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.11.4</code></td></tr>
+<tr><td>CVSS Score</td><td><code>9.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.489%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>65th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
+Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-39410?s=github&n=avro&ns=org.apache.avro&t=maven&vr=%3C1.11.3"><img alt="high 7.5: CVE--2023--39410" src="https://img.shields.io/badge/CVE--2023--39410-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.11.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.11.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.061%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>19th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
+
+This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 1" src="https://img.shields.io/badge/C-1-8b1924"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.zookeeper/zookeeper</strong> <code>3.6.3</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.zookeeper/zookeeper@3.6.3</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-44981?s=github&n=zookeeper&ns=org.apache.zookeeper&t=maven&vr=%3C3.7.2"><img alt="critical 9.1: CVE--2023--44981" src="https://img.shields.io/badge/CVE--2023--44981-lightgrey?label=critical%209.1&labelColor=8b1924"/></a> <i>Authorization Bypass Through User-Controlled Key</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.7.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.7.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>9.1</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.027%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>7th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.
+
+Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.
+
+Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
+
+See the documentation for more details on correct cluster administration.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-23944?s=github&n=zookeeper&ns=org.apache.zookeeper&t=maven&vr=%3E%3D3.6.0%2C%3C%3D3.7.2"><img alt="medium 5.3: CVE--2024--23944" src="https://img.shields.io/badge/CVE--2024--23944-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Exposure of Sensitive Information to an Unauthorized Actor</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.6.0<br/><=3.7.2</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.028%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>7th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
+
+Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 1" src="https://img.shields.io/badge/C-1-8b1924"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.kerby/kerb-admin</strong> <code>1.0.1</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.kerby/kerb-admin@1.0.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-25613?s=gitlab&n=kerb-admin&ns=org.apache.kerby&t=maven&vr=%3C2.0.3"><img alt="critical 9.8: CVE--2023--25613" src="https://img.shields.io/badge/CVE--2023--25613-lightgrey?label=critical%209.8&labelColor=8b1924"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code><2.0.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.0.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>9.8</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.187%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>41st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. 
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 4" src="https://img.shields.io/badge/H-4-e25d68"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.google.protobuf/protobuf-java</strong> <code>3.7.1</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.protobuf/protobuf-java@3.7.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-7254?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.25.5"><img alt="high 8.7: CVE--2024--7254" src="https://img.shields.io/badge/CVE--2024--7254-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.25.5</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.25.5</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.115%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>31st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
+
+Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
+
+Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
+
+### Severity
+[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
+This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
+
+### Proof of Concept
+For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.
+
+### Remediation and Mitigation
+We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:
+* protobuf-java (3.25.5, 4.27.5, 4.28.2)
+* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
+* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3510?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3E%3D3.0.0%2C%3C3.16.3"><img alt="high 7.5: CVE--2022--3510" src="https://img.shields.io/badge/CVE--2022--3510-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.0.0<br/><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.066%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>20th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3509?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3E%3D3.0.0%2C%3C3.16.3"><img alt="high 7.5: CVE--2022--3509" src="https://img.shields.io/badge/CVE--2022--3509-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.0.0<br/><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.131%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-22569?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.16.1"><img alt="high 7.5: CVE--2021--22569" src="https://img.shields.io/badge/CVE--2021--22569-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Incorrect Behavior Order</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.16.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.291%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>52nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+
+A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.
+
+Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)
+
+Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected.
+
+## Severity
+
+[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5,  An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.
+
+## Proof of Concept
+
+For reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.
+
+## Remediation and Mitigation
+
+Please update to the latest available versions of the following packages:
+
+- protobuf-java (3.16.1, 3.18.2, 3.19.2) 
+- protobuf-kotlin (3.18.2, 3.19.2)
+- google-protobuf [JRuby  gem only] (3.19.2) 
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-3171?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.16.3"><img alt="medium 5.7: CVE--2022--3171" src="https://img.shields.io/badge/CVE--2022--3171-lightgrey?label=medium%205.7&labelColor=fbb552"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.16.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.16.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.090%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>26th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+A potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. 
+
+Reporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)
+
+Affected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
+
+## Severity
+
+[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)
+
+## Remediation and Mitigation
+
+Please update to the latest available versions of the following packages:
+
+protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
+google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-22570?s=gitlab&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.15.0"><img alt="medium 5.5: CVE--2021--22570" src="https://img.shields.io/badge/CVE--2021--22570-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.15.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.15.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.138%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>34th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 4" src="https://img.shields.io/badge/H-4-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.codehaus.jettison/jettison</strong> <code>1.1</code> (maven)</summary>
+
+<small><code>pkg:maven/org.codehaus.jettison/jettison@1.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-1436?s=github&n=jettison&ns=org.codehaus.jettison&t=maven&vr=%3C1.5.4"><img alt="high 7.5: CVE--2023--1436" src="https://img.shields.io/badge/CVE--2023--1436-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Recursion</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.5.4</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.5.4</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.024%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>6th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-45693?s=github&n=jettison&ns=org.codehaus.jettison&t=maven&vr=%3C1.5.2"><img alt="high 7.5: CVE--2022--45693" src="https://img.shields.io/badge/CVE--2022--45693-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Out-of-bounds Write</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.5.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.5.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.126%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-45685?s=github&n=jettison&ns=org.codehaus.jettison&t=maven&vr=%3C1.5.2"><img alt="high 7.5: CVE--2022--45685" src="https://img.shields.io/badge/CVE--2022--45685-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Out-of-bounds Write</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.5.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.5.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.126%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-40150?s=github&n=jettison&ns=org.codehaus.jettison&t=maven&vr=%3C1.5.2"><img alt="high 7.5: CVE--2022--40150" src="https://img.shields.io/badge/CVE--2022--40150-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.5.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.5.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.055%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>17th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2022-40149?s=github&n=jettison&ns=org.codehaus.jettison&t=maven&vr=%3C1.5.1"><img alt="medium 6.5: CVE--2022--40149" src="https://img.shields.io/badge/CVE--2022--40149-lightgrey?label=medium%206.5&labelColor=fbb552"/></a> <i>Stack-based Buffer Overflow</i>
+
+<table>
+<tr><td>Affected range</td><td><code><1.5.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.5.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.521%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>66th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 3" src="https://img.shields.io/badge/H-3-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty-codec-http2</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-codec-http2@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-55163?s=github&n=netty-codec-http2&ns=io.netty&t=maven&vr=%3C%3D4.1.123.Final"><img alt="high 8.2: CVE--2025--55163" src="https://img.shields.io/badge/CVE--2025--55163-lightgrey?label=high%208.2&labelColor=e25d68"/></a> <i>Allocation of Resources Without Limits or Throttling</i>
+
+<table>
+<tr><td>Affected range</td><td><code><=4.1.123.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.124.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.076%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>23rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”
+
+### MadeYouReset Vulnerability Summary
+The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
+
+### Mechanism
+The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame). 
+The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:
+1. WINDOW_UPDATE frame with an increment of 0 or an increment that makes the window exceed 2^31 - 1. (section 6.9 + 6.9.1)
+2. HEADERS or DATA frames sent on a half-closed (remote) stream (which was closed using the END_STREAM flag). (note that for some implementations it's possible a CONTINUATION frame to trigger that as well - but it's very rare). (Section 5.1)
+3. PRIORITY frame with a length other than 5. (section 6.3)
+From our experience, the primitives are likely to exist in the decreasing order listed above.
+Note that based on the implementation of the library, other primitives (which are not defined by the RFC) might exist - meaning scenarios in which RST_STREAM is not supposed to be sent, but in the implementation it does. On the other hand - some RFC-defined primitives might not work, even though they are defined by the RFC (as some implementations are not fully complying with RFC). For example, some implementations we’ve seen discard the PRIORITY frame - and thus does not return RST_STREAM, and some implementations send GO_AWAY when receiving a WINDOW_UPDATE frame with increment of 0.
+
+The vulnerability takes advantage of a design flaw in the HTTP/2 protocol - While HTTP/2 has a limit on the number of concurrently active streams per connection (which is usually 100, and is set by the parameter SETTINGS_MAX_CONCURRENT_STREAMS), the number of active streams is not counted correctly - when a stream is reset, it is immediately considered not active, and thus unaccounted for in the active streams counter. 
+While the protocol does not count those streams as active, the server’s backend logic still processes and handles the requests that were canceled.
+
+Thus, the attacker can exploit this vulnerability to cause the server to handle an unbounded number of concurrent streams from a client on the same connection. The exploitation is very simple: the client issues a request in a stream, and then sends the control frame that causes the server to send a RST_STREAM.
+
+### Attack Flow
+For example, a possible attack scenario can be: 
+1. Attacker opens an HTTP/2 connection to the server.
+2. Attacker sends HEADERS frame with END_STREAM flag on a new stream X.  
+3. Attacker sends WINDOW_UPDATE for stream X with flow-control window of 0.
+4. The server receives the WINDOW_UPDATE and immediately sends RST_STREAM for stream X to the client (+ decreases the active streams counter by 1).
+
+The attacker can repeat steps 2+3 as rapidly as it is capable, since the active streams counter never exceeds 1 and the attacker does not need to wait for the response from the server.
+This leads to resource exhaustion and distributed denial of service vulnerabilities with an impact of: CPU overload and/or memory exhaustion (implementation dependent)
+
+### Comparison to Rapid Reset
+The vulnerability takes advantage of a design flow in the HTTP/2 protocol that was also used in the Rapid Reset vulnerability (CVE-2023-44487) which was exploited as a zero-day in the wild in August 2023 to October 2023, against multiple services and vendors.
+The Rapid Reset vulnerability uses RST_STREAM frames sent from the client, in order to create an unbounded amount of concurrent streams - it was given a CVSS score of 7.5.
+Rapid Reset was mostly mitigated by limiting the number/rate of RST_STREAM sent from the client, which does not mitigate the MadeYouReset attack - since it triggers the server to send a RST_STREAM.
+
+### Suggested Mitigations for MadeYouReset
+A quick and easy mitigation will be to limit the number/rate of RST_STREAMs sent from the server.
+It is also possible to limit the number/rate of control frames sent by the client (e.g. WINDOW_UPDATE and PRIORITY), and treat protocol flow errors as a connection error.
+
+As mentioned in our previous message, this is a protocol-level vulnerability that affects multiple vendors and implementations. Given its broad impact, it is the shared responsibility of all parties involved to handle the disclosure process carefully and coordinate mitigations effectively.
+
+
+If you have any questions, we will be happy to clarify or schedule a Zoom call.
+
+Gal, Anat and Yaniv.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/GHSA-xpw8-rcwv-8f8p?s=github&n=netty-codec-http2&ns=io.netty&t=maven&vr=%3C4.1.100.Final"><img alt="high 7.5: GHSA--xpw8--rcwv--8f8p" src="https://img.shields.io/badge/GHSA--xpw8--rcwv--8f8p-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.100.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.100.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. 
+
+### Impact
+This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.
+
+### Patches
+This is patched in version 4.1.100.Final.
+
+### Workarounds
+A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used).
+
+### References
+- https://www.cve.org/CVERecord?id=CVE-2023-44487
+- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
+- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-44487?s=gitlab&n=netty-codec-http2&ns=io.netty&t=maven&vr=%3C4.1.100"><img alt="high 7.5: CVE--2023--44487" src="https://img.shields.io/badge/CVE--2023--44487-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.100</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.100.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>94.419%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>100th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 2" src="https://img.shields.io/badge/H-2-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>net.minidev/json-smart</strong> <code>1.3.2</code> (maven)</summary>
+
+<small><code>pkg:maven/net.minidev/json-smart@1.3.2</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-1370?s=github&n=json-smart&ns=net.minidev&t=maven&vr=%3C2.4.9"><img alt="high 7.5: CVE--2023--1370" src="https://img.shields.io/badge/CVE--2023--1370-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Uncontrolled Recursion</i>
+
+<table>
+<tr><td>Affected range</td><td><code><2.4.9</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.4.9</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.012%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>1st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+Affected versions of [net.minidev:json-smart](https://github.com/netplex/json-smart-v1) are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.
+
+When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
+
+### Patches
+This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.
+
+### Workarounds
+N/A
+
+### References
+- https://www.cve.org/CVERecord?id=CVE-2023-1370
+- https://nvd.nist.gov/vuln/detail/CVE-2023-1370
+- https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2021-31684?s=github&n=json-smart&ns=net.minidev&t=maven&vr=%3E%3D1.3.0%2C%3C1.3.3"><img alt="high 7.5: CVE--2021--31684" src="https://img.shields.io/badge/CVE--2021--31684-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Out-of-bounds Read</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.3.0<br/><1.3.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.3.3</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.108%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>30th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions prior to 1.3.3 and 2.4.5 which causes a denial of service (DOS) via a crafted web request.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>openssl</strong> <code>3.3.3-r0</code> (apk)</summary>
+
+<small><code>pkg:apk/alpine/openssl@3.3.3-r0?os_name=alpine&os_version=3.20</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-9230?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C3.3.5-r0"><img alt="high : CVE--2025--9230" src="https://img.shields.io/badge/CVE--2025--9230-lightgrey?label=high%20&labelColor=e25d68"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><3.3.5-r0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.3.5-r0</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.025%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>6th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2025-9231?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C3.3.5-r0"><img alt="medium : CVE--2025--9231" src="https://img.shields.io/badge/CVE--2025--9231-lightgrey?label=medium%20&labelColor=fbb552"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><3.3.5-r0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.3.5-r0</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.015%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>2nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2025-9232?s=alpine&n=openssl&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C3.3.5-r0"><img alt="medium : CVE--2025--9232" src="https://img.shields.io/badge/CVE--2025--9232-lightgrey?label=medium%20&labelColor=fbb552"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><3.3.5-r0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.3.5-r0</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.025%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>6th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-server</strong> <code>9.4.51.v20230217</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-server@9.4.51.v20230217</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-13009?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.4.0%2C%3C%3D9.4.56"><img alt="high 7.2: CVE--2024--13009" src="https://img.shields.io/badge/CVE--2024--13009-lightgrey?label=high%207.2&labelColor=e25d68"/></a> <i>Improper Resource Shutdown or Release</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.4.0<br/><=9.4.56</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.57.v20241219</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.078%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>23rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-8184?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.3.12%2C%3C%3D9.4.55"><img alt="medium 5.9: CVE--2024--8184" src="https://img.shields.io/badge/CVE--2024--8184-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.3.12<br/><=9.4.55</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.56</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.528%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>81st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+Remote DOS attack can cause out of memory 
+
+### Description
+There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which
+can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By
+repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
+server's memory.
+
+### Affected Versions
+
+* Jetty 12.0.0-12.0.8 (Supported)
+* Jetty 11.0.0-11.0.23 (EOL)
+* Jetty 10.0.0-10.0.23 (EOL)
+* Jetty 9.3.12-9.4.55 (EOL)
+
+### Patched Versions
+
+* Jetty 12.0.9
+* Jetty 11.0.24
+* Jetty 10.0.24
+* Jetty 9.4.56
+
+### Workarounds
+
+Do not use `ThreadLimitHandler`.  
+Consider use of `QoSHandler` instead to artificially limit resource utilization.
+
+### References
+
+Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-40167?s=gitlab&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C9.4.52"><img alt="medium 5.3: CVE--2023--40167" src="https://img.shields.io/badge/CVE--2023--40167-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><9.4.52</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>5.222%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>90th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+
+Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.
+
+### Workarounds
+
+There is no workaround as there is no known exploit scenario. 
+
+### Original Report 
+
+[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts "+" prefixed Content-Length, which could lead to potential HTTP request smuggling.
+
+Payload:
+
+```
+ POST / HTTP/1.1
+ Host: a.com
+ Content-Length: +16
+ Connection: close
+ ​
+ 0123456789abcdef
+```
+
+When sending this payload to Jetty, it can successfully parse and identify the length.
+
+When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.
+
+This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.nimbusds/nimbus-jose-jwt</strong> <code>9.8.1</code> (maven)</summary>
+
+<small><code>pkg:maven/com.nimbusds/nimbus-jose-jwt@9.8.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-52428?s=github&n=nimbus-jose-jwt&ns=com.nimbusds&t=maven&vr=%3C9.37.2"><img alt="high 8.7: CVE--2023--52428" src="https://img.shields.io/badge/CVE--2023--52428-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><9.37.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.37.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.080%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>24th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2025-53864?s=github&n=nimbus-jose-jwt&ns=com.nimbusds&t=maven&vr=%3C9.37.4"><img alt="medium 5.8: CVE--2025--53864" src="https://img.shields.io/badge/CVE--2025--53864-lightgrey?label=medium%205.8&labelColor=fbb552"/></a> <i>Uncontrolled Recursion</i>
+
+<table>
+<tr><td>Affected range</td><td><code><9.37.4</code></td></tr>
+<tr><td>Fixed version</td><td><code>10.0.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.8</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.095%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>27th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-server</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-13009?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.4.0%2C%3C%3D9.4.56"><img alt="high 7.2: CVE--2024--13009" src="https://img.shields.io/badge/CVE--2024--13009-lightgrey?label=high%207.2&labelColor=e25d68"/></a> <i>Improper Resource Shutdown or Release</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.4.0<br/><=9.4.56</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.57.v20241219</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.078%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>23rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-8184?s=github&n=jetty-server&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.3.12%2C%3C%3D9.4.55"><img alt="medium 5.9: CVE--2024--8184" src="https://img.shields.io/badge/CVE--2024--8184-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.3.12<br/><=9.4.55</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.56</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.528%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>81st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+Remote DOS attack can cause out of memory 
+
+### Description
+There exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which
+can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack.  By
+repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
+server's memory.
+
+### Affected Versions
+
+* Jetty 12.0.0-12.0.8 (Supported)
+* Jetty 11.0.0-11.0.23 (EOL)
+* Jetty 10.0.0-10.0.23 (EOL)
+* Jetty 9.3.12-9.4.55 (EOL)
+
+### Patched Versions
+
+* Jetty 12.0.9
+* Jetty 11.0.24
+* Jetty 10.0.24
+* Jetty 9.4.56
+
+### Workarounds
+
+Do not use `ThreadLimitHandler`.  
+Consider use of `QoSHandler` instead to artificially limit resource utilization.
+
+### References
+
+Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty-handler</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-handler@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-24970?s=github&n=netty-handler&ns=io.netty&t=maven&vr=%3E%3D4.1.91.Final%2C%3C%3D4.1.117.Final"><img alt="high 7.5: CVE--2025--24970" src="https://img.shields.io/badge/CVE--2025--24970-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=4.1.91.Final<br/><=4.1.117.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.118.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.336%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>56th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.
+
+### Workarounds
+As workaround its possible to either disable the usage of the native SSLEngine or changing the code from:
+
+```
+SslContext context = ...;
+SslHandler handler = context.newHandler(....);
+```
+
+to:
+
+```
+SslContext context = ...;
+SSLEngine engine = context.newEngine(....);
+SslHandler handler = new SslHandler(engine, ....);
+```
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>commons-io/commons-io</strong> <code>2.13.0</code> (maven)</summary>
+
+<small><code>pkg:maven/commons-io/commons-io@2.13.0</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-47554?s=github&n=commons-io&ns=commons-io&t=maven&vr=%3E%3D2.0%2C%3C2.14.0"><img alt="high 8.7: CVE--2024--47554" src="https://img.shields.io/badge/CVE--2024--47554-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=2.0<br/><2.14.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.14.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.177%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>40th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
+
+The `org.apache.commons.io.input.XmlStreamReader` class may excessively consume CPU resources when processing maliciously crafted input.
+
+
+This issue affects Apache Commons IO: from 2.0 before 2.14.0.
+
+Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>dnsjava/dnsjava</strong> <code>2.1.7</code> (maven)</summary>
+
+<small><code>pkg:maven/dnsjava/dnsjava@2.1.7</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-25638?s=github&n=dnsjava&ns=dnsjava&t=maven&vr=%3C3.6.0"><img alt="high 7.0: CVE--2024--25638" src="https://img.shields.io/badge/CVE--2024--25638-lightgrey?label=high%207.0&labelColor=e25d68"/></a> <i>Insufficient Verification of Data Authenticity</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.6.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.6.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.139%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>34th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+
+Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.
+
+### Details
+
+DNS Messages are not authenticated. They do not guarantee that
+
+- received RRs are authentic
+- not received RRs do not exist
+- all or any received records in a response relate to the request
+
+Applications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.
+To meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)
+
+1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases
+2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well)
+3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's target and go to 2.
+4. Verify that `QNAME` does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return `null`.
+
+Note that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.
+
+dnsjava does not implement a comparable algorithm, and the provided APIs instead return either
+
+- the received DNS message itself (e.g. when using a ValidatingResolver such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#dnssec-resolver) example), or
+- essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#simple-lookup-with-a-resolver) example)
+
+If applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can
+
+- In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or
+- completely exchange the relevant response records
+
+### Impact
+
+DNS(SEC) libraries are usually used as part of a larger security framework.
+Therefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.
+Here are three concrete examples of where this might be detrimental:
+
+- [RFC 6186](https://datatracker.ietf.org/doc/html/rfc6186) specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials.
+- When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic.
+- Some research projects like [LIGHTest](https://www.lightest.eu/) are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications.
+
+### Mitigations
+
+At this point, the following mitigations are recommended:
+
+- When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...).
+- For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. `LookupSession.lookupAsync`.
+- Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.airlift/aircompressor</strong> <code>0.25</code> (maven)</summary>
+
+<small><code>pkg:maven/io.airlift/aircompressor@0.25</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-36114?s=github&n=aircompressor&ns=io.airlift&t=maven&vr=%3C0.27"><img alt="high 8.6: CVE--2024--36114" src="https://img.shields.io/badge/CVE--2024--36114-lightgrey?label=high%208.6&labelColor=e25d68"/></a> <i>Out-of-bounds Read</i>
+
+<table>
+<tr><td>Affected range</td><td><code><0.27</code></td></tr>
+<tr><td>Fixed version</td><td><code>0.27</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.6</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.120%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>32nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information).
+
+### Details
+When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM.
+
+Users should update to Aircompressor 0.27 or newer where these issues have been fixed.
+
+### Impact
+When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.xerial.snappy/snappy-java</strong> <code>1.1.10.3</code> (maven)</summary>
+
+<small><code>pkg:maven/org.xerial.snappy/snappy-java@1.1.10.3</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-43642?s=github&n=snappy-java&ns=org.xerial.snappy&t=maven&vr=%3C%3D1.1.10.3"><img alt="high 7.5: CVE--2023--43642" src="https://img.shields.io/badge/CVE--2023--43642-lightgrey?label=high%207.5&labelColor=e25d68"/></a> <i>Allocation of Resources Without Limits or Throttling</i>
+
+<table>
+<tr><td>Affected range</td><td><code><=1.1.10.3</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.1.10.4</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.190%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>41st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+
+snappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. 
+
+### Scope
+
+All versions of snappy-java including the latest released version 1.1.10.3.  A fix is applied in 1.1.10.4
+
+### Details
+While performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an  java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.
+
+### PoC
+Compile and run the following code:
+```
+package org.example;
+import org.xerial.snappy.SnappyInputStream;
+
+import java.io.*;
+
+public class Main {
+
+    public static void main(String[] args) throws IOException {
+        byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};
+        SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));
+        byte[] out = new byte[50];
+        try {
+            in.read(out);
+        }
+        catch (Exception ignored) {
+        }
+    }
+}
+```
+
+### Impact
+Denial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM.
+
+### Credits
+Jan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team. 
+
+We kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>commons-beanutils/commons-beanutils</strong> <code>1.9.4</code> (maven)</summary>
+
+<small><code>pkg:maven/commons-beanutils/commons-beanutils@1.9.4</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-48734?s=github&n=commons-beanutils&ns=commons-beanutils&t=maven&vr=%3E%3D1.0%2C%3C%3D1.10.1"><img alt="high 8.8: CVE--2025--48734" src="https://img.shields.io/badge/CVE--2025--48734-lightgrey?label=high%208.8&labelColor=e25d68"/></a> <i>Improper Access Control</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.0<br/><=1.10.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.11.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.8</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.048%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>15th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Improper Access Control vulnerability in Apache Commons.
+
+
+
+A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
+
+
+
+
+
+Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
+Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
+
+This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
+
+ 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
+
+
+Users of the artifact org.apache.commons:commons-beanutils2
+
+ 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.google.protobuf/protobuf-java</strong> <code>3.23.4</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.protobuf/protobuf-java@3.23.4</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-7254?s=github&n=protobuf-java&ns=com.google.protobuf&t=maven&vr=%3C3.25.5"><img alt="high 8.7: CVE--2024--7254" src="https://img.shields.io/badge/CVE--2024--7254-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.25.5</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.25.5</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.115%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>31st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.
+
+Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team <ecosystem@trailofbits.com>
+
+Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.
+
+### Severity
+[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)
+This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
+
+### Proof of Concept
+For reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.
+
+### Remediation and Mitigation
+We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:
+* protobuf-java (3.25.5, 4.27.5, 4.28.2)
+* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)
+* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)
+* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>com.fasterxml.jackson.core/jackson-core</strong> <code>2.13.4</code> (maven)</summary>
+
+<small><code>pkg:maven/com.fasterxml.jackson.core/jackson-core@2.13.4</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-52999?s=github&n=jackson-core&ns=com.fasterxml.jackson.core&t=maven&vr=%3C2.15.0"><img alt="high 8.7: CVE--2025--52999" src="https://img.shields.io/badge/CVE--2025--52999-lightgrey?label=high%208.7&labelColor=e25d68"/></a> <i>Stack-based Buffer Overflow</i>
+
+<table>
+<tr><td>Affected range</td><td><code><2.15.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.15.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>8.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.030%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>8th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+With older versions  of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.
+
+### Patches
+jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.
+jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.
+
+### Workarounds
+Users should avoid parsing input files from untrusted sources.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 1" src="https://img.shields.io/badge/H-1-e25d68"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty-codec-smtp</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-codec-smtp@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-59419?s=github&n=netty-codec-smtp&ns=io.netty&t=maven&vr=%3C4.1.128.Final"><img alt="high 7.7: CVE--2025--59419" src="https://img.shields.io/badge/CVE--2025--59419-lightgrey?label=high%207.7&labelColor=e25d68"/></a> <i>Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.128.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.128.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>7.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P</code></td></tr>
+<tr><td>EPSS Score</td><td><code>3.189%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>87th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.
+
+### Details
+The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters.
+
+The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.
+
+Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client.
+
+### PoC
+A minimal PoC involves passing a crafted string containing CRLF sequences to any `SmtpRequest` that accepts user-controlled parameters.
+
+**1. Malicious Payload**
+
+The core of the exploit is the payload, where new SMTP commands are injected into a parameter.
+
+```java
+// The legitimate recipient is followed by an injected email sequence
+String injected_recipient = "legit-recipient@example.com\r\n" +
+                          "MAIL FROM:<ceo@trusted-domain.com>\r\n" +
+                          "RCPT TO:<victim@anywhere.com>\r\n" +
+                          "DATA\r\n" +
+                          "From: ceo@trusted-domain.com\r\n" +
+                          "To: victim@anywhere.com\r\n" +
+                          "Subject: Urgent: Phishing Email\r\n" +
+                          "\r\n" +
+                          "This is a forged email that will pass authentication checks.\r\n" +
+                          ".\r\n" +
+                          "QUIT\r\n";
+```
+
+**2. Triggering the Vulnerability**
+
+The vulnerability is triggered when this payload is used to create an SMTP request.
+
+```java
+// The Netty SMTP codec will fail to sanitize this input
+SmtpRequest maliciousRequest = SmtpRequests.rcpt(injected_recipient);
+
+// When this request is sent to an SMTP server, the injected commands
+// will be executed, sending a forged email.
+channel.writeAndFlush(maliciousRequest);
+```
+
+**3. Full Reproduction Steps**
+
+A complete, runnable PoC is available as a GitHub Gist to demonstrate the full attack flow against a local SMTP server
+
+*   **Full PoC Code:** https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c
+
+To run the full PoC:
+
+1.  **Set up a local SMTP server.** The easiest way is using MailHog:
+    *   On macOS: `brew install mailhog && mailhog`
+    *   Using Docker: `docker run -p 1025:1025 -p 8025:8025 mailhog/mailhog`
+2.  **Run the PoC code.** The code will connect to the SMTP server at `localhost:1025` and send the malicious payload.
+3.  **Verify the result.** Open the MailHog web UI at `http://localhost:8025`. You will see the forged email sent to `victim@anywhere.com` from `ceo@trusted-domain.com`.
+
+### Impact
+This is a SMTP Command Injection vulnerability. It impacts any application using `netty-codec-smtp` to construct SMTP requests where an attacker can control or influence any of the SMTP string parameters (e.g., `from`, `recipient`, `helo` hostname).
+
+The primary impacts are:
+*   **Economic Manipulation & Disinformation:** Attackers can forge emails from high-value targets (e.g., corporate executives, government officials) and send them to journalists, financial institutions, or the public. A fraudulent email announcing false financial results, a fake merger, or a security breach could be used to manipulate stock prices or cause significant economic disruption.
+*   **Sophisticated Phishing:** Attackers can send high-fidelity phishing emails that bypass email authentication (SPF/DKIM) and appear to come from a trusted source, making them highly likely to deceive users.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 3" src="https://img.shields.io/badge/M-3-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.commons/commons-compress</strong> <code>1.23.0</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.commons/commons-compress@1.23.0</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-26308?s=github&n=commons-compress&ns=org.apache.commons&t=maven&vr=%3E%3D1.21%2C%3C1.26.0"><img alt="medium 6.7: CVE--2024--26308" src="https://img.shields.io/badge/CVE--2024--26308-lightgrey?label=medium%206.7&labelColor=fbb552"/></a> <i>Allocation of Resources Without Limits or Throttling</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.21<br/><1.26.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.26.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.7</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.448%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>63rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
+
+Users are recommended to upgrade to version 1.26, which fixes the issue.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-25710?s=github&n=commons-compress&ns=org.apache.commons&t=maven&vr=%3E%3D1.3%2C%3C1.26.0"><img alt="medium 5.9: CVE--2024--25710" src="https://img.shields.io/badge/CVE--2024--25710-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Loop with Unreachable Exit Condition ('Infinite Loop')</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.3<br/><1.26.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.26.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.019%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>4th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
+
+Users are recommended to upgrade to version 1.26.0 which fixes the issue.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-42503?s=github&n=commons-compress&ns=org.apache.commons&t=maven&vr=%3E%3D1.22%2C%3C1.24.0"><img alt="medium 5.5: CVE--2023--42503" src="https://img.shields.io/badge/CVE--2023--42503-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Improper Input Validation</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.22<br/><1.24.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.24.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.011%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>1st percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.
+
+Users are recommended to upgrade to version 1.24.0, which fixes the issue.
+
+A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.
+
+In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.
+
+Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].
+
+[1]:  https://issues.apache.org/jira/browse/COMPRESS-612 
+[2]:  https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 
+[3]:  https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html 
+[4]:  https://bugs.openjdk.org/browse/JDK-6560193 
+[5]:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 
+
+Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>com.google.guava/guava</strong> <code>14.0.1</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.guava/guava@14.0.1</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2018-10237?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D11.0%2C%3C24.1.1-android"><img alt="medium 5.9: CVE--2018--10237" src="https://img.shields.io/badge/CVE--2018--10237-lightgrey?label=medium%205.9&labelColor=fbb552"/></a> <i>Deserialization of Untrusted Data</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=11.0<br/><24.1.1-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>24.1.1-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>3.259%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>87th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android"><img alt="medium 5.5: CVE--2023--2976" src="https://img.shields.io/badge/CVE--2023--2976-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Creation of Temporary File in Directory with Insecure Permissions</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.0<br/><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.071%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
+
+Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android"><img alt="low 3.3: CVE--2020--8908" src="https://img.shields.io/badge/CVE--2020--8908-lightgrey?label=low%203.3&labelColor=fce1a9"/></a> <i>Improper Handling of Alternate Encoding</i>
+
+<table>
+<tr><td>Affected range</td><td><code><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.072%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-webapp</strong> <code>9.4.51.v20230217</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-webapp@9.4.51.v20230217</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-40167?s=gitlab&n=jetty-webapp&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C9.4.52"><img alt="medium 5.3: CVE--2023--40167" src="https://img.shields.io/badge/CVE--2023--40167-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><9.4.52</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52.v20230823, 10.0.16, 11.0.16</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>5.222%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>90th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+
+Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.
+
+### Workarounds
+
+There is no workaround as there is no known exploit scenario. 
+
+### Original Report 
+
+[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts "+" prefixed Content-Length, which could lead to potential HTTP request smuggling.
+
+Payload:
+
+```
+ POST / HTTP/1.1
+ Host: a.com
+ Content-Length: +16
+ Connection: close
+ ​
+ 0123456789abcdef
+```
+
+When sending this payload to Jetty, it can successfully parse and identify the length.
+
+When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.
+
+This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-41900?s=gitlab&n=jetty-webapp&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.4.21%2C%3C9.4.52"><img alt="medium 4.3: CVE--2023--41900" src="https://img.shields.io/badge/CVE--2023--41900-lightgrey?label=medium%204.3&labelColor=fbb552"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.4.21<br/><9.4.52</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52.v20230823, 10.0.16, 11.0.16</code></td></tr>
+<tr><td>CVSS Score</td><td><code>4.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.131%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>33rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated.
+
+So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-36479?s=gitlab&n=jetty-webapp&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C9.4.52"><img alt="low 3.5: CVE--2023--36479" src="https://img.shields.io/badge/CVE--2023--36479-lightgrey?label=low%203.5&labelColor=fce1a9"/></a> <i>OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><9.4.52</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52.v20230823, 10.0.16, 11.0.16</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>1.383%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>80th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested.
+
+```java
+if (execCmd.length() > 0 && execCmd.charAt(0) != '"' && execCmd.contains(" "))
+execCmd = "\"" + execCmd + "\"";
+```
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.commons/commons-configuration2</strong> <code>2.8.0</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.commons/commons-configuration2@2.8.0</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-29133?s=github&n=commons-configuration2&ns=org.apache.commons&t=maven&vr=%3E%3D2.0%2C%3C2.10.1"><img alt="medium 6.9: CVE--2024--29133" src="https://img.shields.io/badge/CVE--2024--29133-lightgrey?label=medium%206.9&labelColor=fbb552"/></a> <i>Out-of-bounds Write</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=2.0<br/><2.10.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.10.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.509%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>65th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree.
+Users are recommended to upgrade to version 2.10.1, which fixes the issue.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-29131?s=github&n=commons-configuration2&ns=org.apache.commons&t=maven&vr=%3E%3D2.0%2C%3C2.10.1"><img alt="medium 6.5: CVE--2024--29131" src="https://img.shields.io/badge/CVE--2024--29131-lightgrey?label=medium%206.5&labelColor=fbb552"/></a> <i>Out-of-bounds Write</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=2.0<br/><2.10.1</code></td></tr>
+<tr><td>Fixed version</td><td><code>2.10.1</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.203%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>42nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator()'.
+Users are recommended to upgrade to version 2.10.1, which fixes the issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty-common</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-common@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-25193?s=github&n=netty-common&ns=io.netty&t=maven&vr=%3C4.1.118.Final"><img alt="medium 5.5: CVE--2025--25193" src="https://img.shields.io/badge/CVE--2025--25193-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.118.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.118.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.060%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>19th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+An unsafe reading of environment file could potentially cause a denial of service in Netty.
+When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.
+
+### Details
+A similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv
+This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.
+
+
+### PoC
+The PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00.
+When the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character.
+
+### Impact
+Impact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-47535?s=github&n=netty-common&ns=io.netty&t=maven&vr=%3C%3D4.1.114.Final"><img alt="medium 5.4: CVE--2024--47535" src="https://img.shields.io/badge/CVE--2024--47535-lightgrey?label=medium%205.4&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code><=4.1.114.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.115.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.4</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.024%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>5th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+
+An unsafe reading of environment file could potentially cause a denial of service in Netty.
+When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.
+
+
+### Details
+
+When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed.
+
+At this stage, Netty tries to load both `/etc/os-release` and `/usr/lib/os-release` even though it is in a Windows environment. 
+
+<img width="364" alt="1" src="https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59">
+
+If netty finds this files, it reads them and loads them into memory.
+
+By default :
+
+- The JVM maximum memory size is set to 1 GB,
+- A non-privileged user can create a directory at `C:\` and create files within it.
+
+<img width="340" alt="2" src="https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831">
+
+<img width="523" alt="3" src="https://github.com/user-attachments/assets/ad5c6eed-451c-4513-92d5-ba0eee7715c1">
+
+the source code identified :
+https://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/internal/PlatformDependent.java
+
+Despite the implementation of the function `normalizeOs()` the source code not verify the OS before reading `C:\etc\os-release` and `C:\usr\lib\os-release`.
+
+### PoC
+
+Create a file larger than 1 GB of data in `C:\etc\os-release` or `C:\usr\lib\os-release` on a Windows environnement and start your Netty application.
+
+To observe what the application does with the file, the security analyst used "Process Monitor" from the "Windows SysInternals" suite. (https://learn.microsoft.com/en-us/sysinternals/)
+
+```
+cd C:\etc
+fsutil file createnew os-release 3000000000
+```
+
+<img width="519" alt="4" src="https://github.com/user-attachments/assets/39df22a3-462b-4fd0-af9a-aa30077ec08f">
+
+<img width="517" alt="5" src="https://github.com/user-attachments/assets/129dbd50-fc36-4da5-8eb1-582123fb528f">
+
+The source code used is the Netty website code example : [Echo ‐ the very basic client and server](https://netty.io/4.1/xref/io/netty/example/echo/package-summary.html).
+
+The vulnerability was tested on the 4.1.112.Final version.
+
+The security analyst tried the same technique for `C:\proc\sys\net\core\somaxconn` with a lot of values to impact Netty but the only things that works is the "larger than 1 GB file" technique. https://github.com/netty/netty/blob/c0fdb8e9f8f256990e902fcfffbbe10754d0f3dd/common/src/main/java/io/netty/util/NetUtil.java#L186
+
+### Impact
+
+By loading the "file larger than 1 GB" into the memory, the Netty library exceeds the JVM memory limit and causes a crash in the java Windows application.
+
+This behaviour occurs 100% of the time in both Server mode and Client mode if the large file exists.
+
+Client mode :
+
+<img width="449" alt="6" src="https://github.com/user-attachments/assets/f8fe1ed0-1a42-4490-b9ed-dbc9af7804be">
+
+Server mode :
+
+<img width="464" alt="7" src="https://github.com/user-attachments/assets/b34b42bd-4fbd-4170-b93a-d29ba87b88eb">
+
+somaxconn :
+
+<img width="532" alt="8" src="https://github.com/user-attachments/assets/0656b3bb-32c6-4ae2-bff7-d93babba08a3">
+
+### Severity
+
+- Attack vector : "Local" because the attacker needs to be on the system where the Netty application is running.
+- Attack complexity : "Low" because the attacker only need to create a massive file (regardless of its contents).
+- Privileges required : "Low" because the attacker requires a user account to exploit the vulnerability.
+- User intercation : "None" because the administrator don't need to accidentally click anywhere to trigger the vulnerability. Furthermore, the exploitation works with defaults windows/AD settings.
+- Scope : "Unchanged" because only Netty is affected by the vulnerability.
+- Confidentiality : "None" because no data is exposed through exploiting the vulnerability.
+- Integrity : "None" because the explotation of the vulnerability does not allow editing, deleting or adding data elsewhere.
+- Availability : "High" because the exploitation of this vulnerability crashes the entire java application.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 2" src="https://img.shields.io/badge/M-2-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-http</strong> <code>9.4.51.v20230217</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-http@9.4.51.v20230217</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-6763?s=github&n=jetty-http&ns=org.eclipse.jetty&t=maven&vr=%3E%3D7.0.0%2C%3C%3D12.0.11"><img alt="medium 6.3: CVE--2024--6763" src="https://img.shields.io/badge/CVE--2024--6763-lightgrey?label=medium%206.3&labelColor=fbb552"/></a> <i>Improper Validation of Syntactic Correctness of Input</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=7.0.0<br/><=12.0.11</code></td></tr>
+<tr><td>Fixed version</td><td><code>12.0.12</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.923%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>75th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+
+Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing.
+
+The `HttpURI` class does insufficient validation on the authority segment of a URI.  However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC.  Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
+
+## Details
+
+### Affected components
+
+The vulnerable component is the `HttpURI` class when used as a utility class in an application.  The Jetty usage of the class is not vulnerable.
+
+### Attack overview
+
+The `HttpURI` class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password#@hostname:port), then the parsing of the URI is not failed.  Moreover, the interpretation of what part of the authority is the host name differs from a common browser in  that they also do not fail, but they select a different host name from the illegal URI.
+
+### Attack scenario
+
+A typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI.
+
+This attack occurs when the Validator is the `org.eclipse.jetty.http.HttpURI` class and the Requester is the `Browser` (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., `http://browser.check%23%40vulndetector.com/` ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname `vulndetector.com`.
+
+## PoC
+
+payloads:
+
+```
+http://browser.check &@vulndetector.com/
+http://browser.check #@vulndetector.com/
+http://browser.check?@vulndetector.com/
+http://browser.check#@vulndetector.com/
+http://vulndetector.com\\/
+```
+
+The problem of 302 redirect parsing in HTML tag scenarios. Below is a poc example. After clicking the button, the browser will open "browser.check", and jetty will parse this URL as "vulndetector.com".
+
+```
+<a href="http://browser.check#@vulndetector.com/"></a>
+```
+A comparison of the parsing differences between Jetty and chrome is shown in the table below (note that neither should accept the URI as valid).
+
+| Invalid URI                                       | Jetty            | Chrome        |
+| ---------------------------------------------- | ---------------- | ------------- |
+| http://browser.check &@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check #@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check?@vulndetector.com/    | vulndetector.com | browser.check |
+| http://browser.check#@vulndetector.com/    | vulndetector.com | browser.check |
+
+The problem of 302 redirect parsing in HTTP 302 Location
+
+| Input                    | Jetty          | Chrome        |
+| ------------------------ | -------------- | ------------- |
+| http://browser.check%5c/ | browser.check\ | browser.check |
+
+It is noteworthy that Spring Web also faced similar security vulnerabilities, being affected by the aforementioned four types of payloads. These issues have since been resolved and have been assigned three CVE numbers [3-5].
+
+## Impact
+
+The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly.  Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section.  The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to **SSRF**[1] and **URL Redirection**[2] vulnerabilities in several cases. 
+
+## Mitigation
+
+The attacks outlined above rely on decoded user data being passed to the `HttpURI` class. Application should not pass decoded user data as an encoded URI to any URI class/method, including `HttpURI`.  Such applications are likely to be vulnerable in other ways. 
+The immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority.  Ultimately, Jetty will deprecate and remove support for user info in the authority per [RFC9110 Section 4.2.4](https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4). 
+
+Note that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).
+
+## Reference
+
+[1] https://cwe.mitre.org/data/definitions/918.html
+[2] https://cwe.mitre.org/data/definitions/601.html
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2023-40167?s=github&n=jetty-http&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C%3D9.4.51"><img alt="medium 5.3: CVE--2023--40167" src="https://img.shields.io/badge/CVE--2023--40167-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Improper Handling of Length Parameter Inconsistency</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><=9.4.51</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>5.222%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>90th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Impact
+
+Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field.  This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses.  There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.
+
+### Workarounds
+
+There is no workaround as there is no known exploit scenario.   
+
+### Original Report 
+
+[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts "+" prefixed Content-Length, which could lead to potential HTTP request smuggling.
+
+Payload:
+
+```
+ POST / HTTP/1.1
+ Host: a.com
+ Content-Length: +16
+ Connection: close
+ ​
+ 0123456789abcdef
+```
+
+When sending this payload to Jetty, it can successfully parse and identify the length.
+
+When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.
+
+This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>com.google.guava/guava</strong> <code>30.1.1-jre</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.guava/guava@30.1.1-jre</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android"><img alt="medium 5.5: CVE--2023--2976" src="https://img.shields.io/badge/CVE--2023--2976-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Creation of Temporary File in Directory with Insecure Permissions</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.0<br/><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.071%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
+
+Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android"><img alt="low 3.3: CVE--2020--8908" src="https://img.shields.io/badge/CVE--2020--8908-lightgrey?label=low%203.3&labelColor=fce1a9"/></a> <i>Improper Handling of Alternate Encoding</i>
+
+<table>
+<tr><td>Affected range</td><td><code><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.072%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>io.netty/netty-codec-http</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-codec-http@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-29025?s=github&n=netty-codec-http&ns=io.netty&t=maven&vr=%3C4.1.108.Final"><img alt="medium 5.3: CVE--2024--29025" src="https://img.shields.io/badge/CVE--2024--29025-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Allocation of Resources Without Limits or Throttling</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.108.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.108.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.261%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>49th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+The `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors 
+
+### Details
+1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.
+2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits
+
+### PoC
+
+Here is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder
+
+
+Here is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
+
+### Impact
+Any Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2025-58056?s=github&n=netty-codec-http&ns=io.netty&t=maven&vr=%3C4.1.125.Final"><img alt="low : CVE--2025--58056" src="https://img.shields.io/badge/CVE--2025--58056-lightgrey?label=low%20&labelColor=fce1a9"/></a> <i>Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.125.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.125.Final</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.024%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>6th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+A flaw in netty's parsing of chunk extensions in HTTP/1.1 messages with chunked encoding can lead to request smuggling issues with some reverse proxies.
+
+## Details
+When encountering a newline character (LF) while parsing a chunk extension, netty interprets the newline as the end of the chunk-size line regardless of whether a preceding carriage return (CR) was found. This is in violation of the HTTP 1.1 standard which specifies that the chunk extension is terminated by a CRLF sequence (see the [RFC](https://datatracker.ietf.org/doc/html/rfc9112#name-chunked-transfer-coding)).
+
+This is by itself harmless, but consider an intermediary with a similar parsing flaw: while parsing a chunk extension, the intermediary interprets an LF without a preceding CR as simply part of the chunk extension (this is also in violation of the RFC, because whitespace characters are not allowed in chunk extensions). We can use this discrepancy to construct an HTTP request that the intermediary will interpret as one request but netty will interpret as two (all lines ending with CRLF, notice the LFs in the chunk extension):
+
+```
+POST /one HTTP/1.1
+Host: localhost:8080
+Transfer-Encoding: chunked
+
+48;\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n0
+
+POST /two HTTP/1.1
+Host: localhost:8080
+Transfer-Encoding: chunked
+
+0
+
+```
+
+The intermediary will interpret this as a single request. Once forwarded to netty, netty will interpret it as two separate requests. This is a problem, because attackers can then the intermediary, as well as perform standard request smuggling attacks against other live users (see [this Portswigger article](https://portswigger.net/web-security/request-smuggling/exploiting)).
+
+## Impact
+This is a request smuggling issue which can be exploited for bypassing front-end access control rules as well as corrupting the responses served to other live clients.
+
+The impact is high, but it only affects setups that use a front-end which:
+1. Interprets LF characters (without preceding CR) in chunk extensions as part of the chunk extension.
+2. Forwards chunk extensions without normalization.
+
+## Disclosure
+
+ - This vulnerability was disclosed on June 18th, 2025 here: https://w4ke.info/2025/06/18/funky-chunks.html
+
+## Discussion
+Discussion for this vulnerability can be found here:
+ - https://github.com/netty/netty/issues/15522
+ - https://github.com/JLLeitschuh/unCVEed/issues/1
+
+## Credit
+
+ - Credit to @JeppW for uncovering this vulnerability.
+ - Credit to @JLLeitschuh at [Socket](https://socket.dev/) for coordinating the vulnerability disclosure.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>com.google.guava/guava</strong> <code>27.0-jre</code> (maven)</summary>
+
+<small><code>pkg:maven/com.google.guava/guava@27.0-jre</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2023-2976?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3E%3D1.0%2C%3C32.0.0-android"><img alt="medium 5.5: CVE--2023--2976" src="https://img.shields.io/badge/CVE--2023--2976-lightgrey?label=medium%205.5&labelColor=fbb552"/></a> <i>Creation of Temporary File in Directory with Insecure Permissions</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=1.0<br/><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.071%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
+
+Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2020-8908?s=github&n=guava&ns=com.google.guava&t=maven&vr=%3C32.0.0-android"><img alt="low 3.3: CVE--2020--8908" src="https://img.shields.io/badge/CVE--2020--8908-lightgrey?label=low%203.3&labelColor=fce1a9"/></a> <i>Improper Handling of Alternate Encoding</i>
+
+<table>
+<tr><td>Affected range</td><td><code><32.0.0-android</code></td></tr>
+<tr><td>Fixed version</td><td><code>32.0.0-android</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.072%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>22nd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.commons/commons-lang3</strong> <code>3.12.0</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.commons/commons-lang3@3.12.0</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-48924?s=github&n=commons-lang3&ns=org.apache.commons&t=maven&vr=%3E%3D3.0%2C%3C3.18.0"><img alt="medium 6.5: CVE--2025--48924" src="https://img.shields.io/badge/CVE--2025--48924-lightgrey?label=medium%206.5&labelColor=fbb552"/></a> <i>Uncontrolled Recursion</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.0<br/><3.18.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.18.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.5</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.043%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>13th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Uncontrolled Recursion vulnerability in Apache Commons Lang.
+
+This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
+
+The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
+
+Users are recommended to upgrade to version 3.18.0, which fixes the issue.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.apache.spark/spark-network-common_2.12</strong> <code>3.5.0</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.spark/spark-network-common_2.12@3.5.0</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-55039?s=github&n=spark-network-common_2.12&ns=org.apache.spark&t=maven&vr=%3E%3D3.5.0%2C%3C3.5.2"><img alt="medium 4.6: CVE--2025--55039" src="https://img.shields.io/badge/CVE--2025--55039-lightgrey?label=medium%204.6&labelColor=fbb552"/></a> <i>Inadequate Encryption Strength</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=3.5.0<br/><3.5.2</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.5.2</code></td></tr>
+<tr><td>CVSS Score</td><td><code>4.6</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.056%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>17th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+This issue affects Apache Spark versions before  3.4.4, 3.5.2 and 4.0.0.
+
+Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.
+
+When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.
+
+This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.
+
+To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>io.netty/netty-codec</strong> <code>4.1.96.Final</code> (maven)</summary>
+
+<small><code>pkg:maven/io.netty/netty-codec@4.1.96.Final</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-58057?s=github&n=netty-codec&ns=io.netty&t=maven&vr=%3C4.1.125.Final"><img alt="medium 6.9: CVE--2025--58057" src="https://img.shields.io/badge/CVE--2025--58057-lightgrey?label=medium%206.9&labelColor=fbb552"/></a> <i>Improper Handling of Highly Compressed Data (Data Amplification)</i>
+
+<table>
+<tr><td>Affected range</td><td><code><4.1.125.Final</code></td></tr>
+<tr><td>Fixed version</td><td><code>4.1.125.Final</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.034%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>9th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### Summary
+
+With specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.
+
+### Details
+
+`BrotliDecoder.decompress` has no limit in how often it calls `pull`, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is basically a zip bomb.
+
+Tested on 4.1.118, but there were no changes to the decoder since.
+
+### PoC
+
+Run this test case with `-Xmx1G`:
+
+```java
+import io.netty.buffer.Unpooled;
+import io.netty.channel.embedded.EmbeddedChannel;
+
+import java.util.Base64;
+
+public class T {
+    public static void main(String[] args) {
+        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
+        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
+    }
+}
+```
+
+Error:
+
+```
+Exception in thread "main" java.lang.OutOfMemoryError: Cannot reserve 4194304 bytes of direct buffer memory (allocated: 1069580289, limit: 1073741824)
+	at java.base/java.nio.Bits.reserveMemory(Bits.java:178)
+	at java.base/java.nio.DirectByteBuffer.<init>(DirectByteBuffer.java:121)
+	at java.base/java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:332)
+	at io.netty.buffer.PoolArena$DirectArena.allocateDirect(PoolArena.java:718)
+	at io.netty.buffer.PoolArena$DirectArena.newChunk(PoolArena.java:693)
+	at io.netty.buffer.PoolArena.allocateNormal(PoolArena.java:213)
+	at io.netty.buffer.PoolArena.tcacheAllocateNormal(PoolArena.java:195)
+	at io.netty.buffer.PoolArena.allocate(PoolArena.java:137)
+	at io.netty.buffer.PoolArena.allocate(PoolArena.java:127)
+	at io.netty.buffer.PooledByteBufAllocator.newDirectBuffer(PooledByteBufAllocator.java:403)
+	at io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:188)
+	at io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:179)
+	at io.netty.buffer.AbstractByteBufAllocator.buffer(AbstractByteBufAllocator.java:116)
+	at io.netty.handler.codec.compression.BrotliDecoder.pull(BrotliDecoder.java:70)
+	at io.netty.handler.codec.compression.BrotliDecoder.decompress(BrotliDecoder.java:101)
+	at io.netty.handler.codec.compression.BrotliDecoder.decode(BrotliDecoder.java:137)
+	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
+	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
+	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
+	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
+	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
+	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
+	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
+	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
+	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
+	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
+	at io.netty.channel.embedded.EmbeddedChannel.writeInbound(EmbeddedChannel.java:348)
+	at io.netty.handler.codec.compression.T.main(T.java:11)
+```
+
+### Impact
+
+DoS for anyone using `BrotliDecoder` on untrusted input.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-http</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-http@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-6763?s=github&n=jetty-http&ns=org.eclipse.jetty&t=maven&vr=%3E%3D7.0.0%2C%3C%3D12.0.11"><img alt="medium 6.3: CVE--2024--6763" src="https://img.shields.io/badge/CVE--2024--6763-lightgrey?label=medium%206.3&labelColor=fbb552"/></a> <i>Improper Validation of Syntactic Correctness of Input</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=7.0.0<br/><=12.0.11</code></td></tr>
+<tr><td>Fixed version</td><td><code>12.0.12</code></td></tr>
+<tr><td>CVSS Score</td><td><code>6.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.923%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>75th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+## Summary
+
+Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing.
+
+The `HttpURI` class does insufficient validation on the authority segment of a URI.  However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC.  Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.
+
+## Details
+
+### Affected components
+
+The vulnerable component is the `HttpURI` class when used as a utility class in an application.  The Jetty usage of the class is not vulnerable.
+
+### Attack overview
+
+The `HttpURI` class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password#@hostname:port), then the parsing of the URI is not failed.  Moreover, the interpretation of what part of the authority is the host name differs from a common browser in  that they also do not fail, but they select a different host name from the illegal URI.
+
+### Attack scenario
+
+A typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI.
+
+This attack occurs when the Validator is the `org.eclipse.jetty.http.HttpURI` class and the Requester is the `Browser` (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., `http://browser.check%23%40vulndetector.com/` ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname `vulndetector.com`.
+
+## PoC
+
+payloads:
+
+```
+http://browser.check &@vulndetector.com/
+http://browser.check #@vulndetector.com/
+http://browser.check?@vulndetector.com/
+http://browser.check#@vulndetector.com/
+http://vulndetector.com\\/
+```
+
+The problem of 302 redirect parsing in HTML tag scenarios. Below is a poc example. After clicking the button, the browser will open "browser.check", and jetty will parse this URL as "vulndetector.com".
+
+```
+<a href="http://browser.check#@vulndetector.com/"></a>
+```
+A comparison of the parsing differences between Jetty and chrome is shown in the table below (note that neither should accept the URI as valid).
+
+| Invalid URI                                       | Jetty            | Chrome        |
+| ---------------------------------------------- | ---------------- | ------------- |
+| http://browser.check &@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check #@vulndetector.com/ | vulndetector.com | browser.check |
+| http://browser.check?@vulndetector.com/    | vulndetector.com | browser.check |
+| http://browser.check#@vulndetector.com/    | vulndetector.com | browser.check |
+
+The problem of 302 redirect parsing in HTTP 302 Location
+
+| Input                    | Jetty          | Chrome        |
+| ------------------------ | -------------- | ------------- |
+| http://browser.check%5c/ | browser.check\ | browser.check |
+
+It is noteworthy that Spring Web also faced similar security vulnerabilities, being affected by the aforementioned four types of payloads. These issues have since been resolved and have been assigned three CVE numbers [3-5].
+
+## Impact
+
+The impact of this vulnerability is limited to developers that use the Jetty HttpURI directly.  Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section.  The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to **SSRF**[1] and **URL Redirection**[2] vulnerabilities in several cases. 
+
+## Mitigation
+
+The attacks outlined above rely on decoded user data being passed to the `HttpURI` class. Application should not pass decoded user data as an encoded URI to any URI class/method, including `HttpURI`.  Such applications are likely to be vulnerable in other ways. 
+The immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority.  Ultimately, Jetty will deprecate and remove support for user info in the authority per [RFC9110 Section 4.2.4](https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4). 
+
+Note that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).
+
+## Reference
+
+[1] https://cwe.mitre.org/data/definitions/918.html
+[2] https://cwe.mitre.org/data/definitions/601.html
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 1" src="https://img.shields.io/badge/M-1-fbb552"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-servlets</strong> <code>9.4.52.v20230823</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-servlets@9.4.52.v20230823</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-9823?s=github&n=jetty-servlets&ns=org.eclipse.jetty&t=maven&vr=%3E%3D9.0.0%2C%3C9.4.54"><img alt="medium 5.3: CVE--2024--9823" src="https://img.shields.io/badge/CVE--2024--9823-lightgrey?label=medium%205.3&labelColor=fbb552"/></a> <i>Uncontrolled Resource Consumption</i>
+
+<table>
+<tr><td>Affected range</td><td><code>>=9.0.0<br/><9.4.54</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.54</code></td></tr>
+<tr><td>CVSS Score</td><td><code>5.3</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.591%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>68th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Description
+There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
+
+
+Vulnerability details
+The Jetty DoSFilter (Denial of Service Filter) is a security filter designed to protect web applications against certain types of Denial of Service (DoS) attacks and other abusive behavior. It helps to mitigate excessive resource consumption by limiting the rate at which clients can make requests to the server.  The DoSFilter monitors and tracks client request patterns, including request rates, and can take actions such as blocking or delaying requests from clients that exceed predefined thresholds.  The internal tracking of requests in DoSFilter is the source of this OutOfMemory condition.
+
+
+Impact
+Users of the DoSFilter may be subject to DoS attacks that will ultimately exhaust the memory of the server if they have not configured session passivation or an aggressive session inactivation timeout.
+
+
+Patches
+The DoSFilter has been patched in all active releases to no longer support the session tracking mode, even if configured.
+
+
+Patched releases:
+
+  *  9.4.54
+  *  10.0.18
+  *  11.0.18
+  *  12.0.3
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 2" src="https://img.shields.io/badge/L-2-fce1a9"/> <!-- unspecified: 0 --><strong>busybox</strong> <code>1.36.1-r29</code> (apk)</summary>
+
+<small><code>pkg:apk/alpine/busybox@1.36.1-r29?os_name=alpine&os_version=3.20</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-46394?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C1.36.1-r31"><img alt="low : CVE--2025--46394" src="https://img.shields.io/badge/CVE--2025--46394-lightgrey?label=low%20&labelColor=fce1a9"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><1.36.1-r31</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.36.1-r31</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.017%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>3rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+
+<a href="https://scout.docker.com/v/CVE-2024-58251?s=alpine&n=busybox&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C1.36.1-r31"><img alt="low : CVE--2024--58251" src="https://img.shields.io/badge/CVE--2024--58251-lightgrey?label=low%20&labelColor=fce1a9"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><1.36.1-r31</code></td></tr>
+<tr><td>Fixed version</td><td><code>1.36.1-r31</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.020%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>4th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>org.eclipse.jetty/jetty-xml</strong> <code>9.4.51.v20230217</code> (maven)</summary>
+
+<small><code>pkg:maven/org.eclipse.jetty/jetty-xml@9.4.51.v20230217</code></small><br/>
+<a href="https://scout.docker.com/v/GHSA-58qw-p7qm-5rvh?s=github&n=jetty-xml&ns=org.eclipse.jetty&t=maven&vr=%3C%3D9.4.51"><img alt="low 3.9: GHSA--58qw--p7qm--5rvh" src="https://img.shields.io/badge/GHSA--58qw--p7qm--5rvh-lightgrey?label=low%203.9&labelColor=fce1a9"/></a> <i>Improper Restriction of XML External Entity Reference</i>
+
+<table>
+<tr><td>Affected range</td><td><code><=9.4.51</code></td></tr>
+<tr><td>Fixed version</td><td><code>9.4.52.v20230823</code></td></tr>
+<tr><td>CVSS Score</td><td><code>3.9</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+### From the reporter
+
+> `XmlParser` is vulnerable to XML external entity (XXE) vulnerability.
+>  XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit
+> this vulnerability in order to achieve SSRF or cause a denial of service.
+> One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the
+> WAR includes a malicious web.xml.
+
+### Impact
+There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code.  Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation.  
+
+Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser.  No CVE will be allocated to this advisory.
+
+However, any direct usage of the `XmlParser` class by an application may be vulnerable.  The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.
+
+### Patches
+Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067
+
+### Workarounds
+Don't use `XmlParser` to parse data from users.
+
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 1" src="https://img.shields.io/badge/L-1-fce1a9"/> <!-- unspecified: 0 --><strong>org.apache.hadoop/hadoop-common</strong> <code>3.3.6</code> (maven)</summary>
+
+<small><code>pkg:maven/org.apache.hadoop/hadoop-common@3.3.6</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2024-23454?s=github&n=hadoop-common&ns=org.apache.hadoop&t=maven&vr=%3C3.4.0"><img alt="low 2.0: CVE--2024--23454" src="https://img.shields.io/badge/CVE--2024--23454-lightgrey?label=low%202.0&labelColor=fce1a9"/></a> <i>Improper Privilege Management</i>
+
+<table>
+<tr><td>Affected range</td><td><code><3.4.0</code></td></tr>
+<tr><td>Fixed version</td><td><code>3.4.0</code></td></tr>
+<tr><td>CVSS Score</td><td><code>2</code></td></tr>
+<tr><td>CVSS Vector</td><td><code>CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N</code></td></tr>
+<tr><td>EPSS Score</td><td><code>0.037%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>11th percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+Apache Hadoop’s `RunJar.run()` does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.
+
+</blockquote>
+</details>
+</details></td></tr>
+
+<tr><td valign="top">
+<details><summary><img alt="critical: 0" src="https://img.shields.io/badge/C-0-lightgrey"/> <img alt="high: 0" src="https://img.shields.io/badge/H-0-lightgrey"/> <img alt="medium: 0" src="https://img.shields.io/badge/M-0-lightgrey"/> <img alt="low: 0" src="https://img.shields.io/badge/L-0-lightgrey"/> <img alt="unspecified: 1" src="https://img.shields.io/badge/U-1-lightgrey"/><strong>lz4</strong> <code>1.9.4-r5</code> (apk)</summary>
+
+<small><code>pkg:apk/alpine/lz4@1.9.4-r5?os_name=alpine&os_version=3.20</code></small><br/>
+<a href="https://scout.docker.com/v/CVE-2025-62813?s=alpine&n=lz4&ns=alpine&t=apk&osn=alpine&osv=3.20&vr=%3C%3D1.9.4-r5"><img alt="unspecified : CVE--2025--62813" src="https://img.shields.io/badge/CVE--2025--62813-lightgrey?label=unspecified%20&labelColor=lightgrey"/></a> 
+
+<table>
+<tr><td>Affected range</td><td><code><=1.9.4-r5</code></td></tr>
+<tr><td>Fixed version</td><td><strong>Not Fixed</strong></td></tr>
+<tr><td>EPSS Score</td><td><code>0.018%</code></td></tr>
+<tr><td>EPSS Percentile</td><td><code>3rd percentile</code></td></tr>
+</table>
+
+<details><summary>Description</summary>
+<blockquote>
+
+
+
+</blockquote>
+</details>
+</details></td></tr>
+</table>
+
diff --git a/docker/SYSTEMDS-3878/summary-of-changes.md b/docker/SYSTEMDS-3878/summary-of-changes.md
new file mode 100644
index 00000000000..3b7b1eb27b8
--- /dev/null
+++ b/docker/SYSTEMDS-3878/summary-of-changes.md
@@ -0,0 +1,243 @@
+<!-- 
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# 
+-->
+
+# Data Integration and Large-Scale Analysis
+
+[Return](README.md#student-project-systemds-3878) to SYSTEMDS-3878. \
+***Improve Docker Security***
+
+>This task is to improve the security of the Docker images we provide. Currently we get an 'F' evaluation on DockerHub, and we would like instead to provide secure images.
+
+In the [appendix](#detailed-example-orgapachezookeeperzookeeper), you can see a full example on how we analysed the identified vulnerabilities.
+
+- [Data Integration and Large-Scale Analysis](#data-integration-and-large-scale-analysis)
+  - [Changes](#changes)
+    - [`pom.xml`](#pomxml)
+    - [Critical CVEs `io.netty/netty@3.10.6.Final`](#critical-cves-ionettynetty3106final)
+    - [`sysds.Dockerfile`](#sysdsdockerfile)
+  - [Changelog](#changelog)
+  - [Appendix](#appendix)
+    - [Detailed example: `org.apache.zookeeper/zookeeper`](#detailed-example-orgapachezookeeperzookeeper)
+
+## Changes
+
+### `pom.xml`
+
+By calling this url, you can view the changes on the pom.xml between the start and the end of the SYSDS-3878 student project: \
+[https://github.com/qschnee/systemds/compare/05b2298..3d563ff#diff-pom.xml](https://github.com/qschnee/systemds/compare/05b2298..3d563ff#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8) \
+This url compares the two commits and scrolls the webpage directly to the `pom.xml` changes. Note that the real link does not use the filename, but a hash.
+
+### Critical CVEs `io.netty/netty@3.10.6.Final`
+
+This is a transitive dependency from `hadoop-hdfs 3.3.6`. Version `3.4.2` does not use the `netty` dependency anymore. The update has been made in the `pom.xml` property: \
+`<hadoop-hdfs.version>3.4.2</hadoop-hdfs.version>`
+
+The only change necessary in the code is in the import of the netty package. What was
+```java
+import org.jboss.netty.handler.codec.compression.CompressionException;
+```
+became
+```java
+import io.netty.handler.codec.compression.CompressionException;
+```
+
+#### Usage
+
+At the time of writing, the only usage of this import is in [systemds/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java](systemds/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java):
+```java
+// import org.jboss.netty.handler.codec.compression.CompressionException;
+import io.netty.handler.codec.compression.CompressionException;
+// CVE-2019-20444: org.jboss.netty replaced by io.netty in hadoop-hdfs 3.4.2
+```
+
+### `sysds.Dockerfile`
+
+```Dockerfile
+RUN apk add --no-cache bash \
+    snappy \
+    lz4 \
+    zlib \
+    # added apks update to solve openssl and busybox CVEs
+    && apk update \
+    && apk upgrade openssl busybox busybox-binsh ssl_client libcrypto3 libssl3
+```
+
+## Changelog
+
+#### Dec 4, 2025
+- Create documentation to log work and document changes
+
+#### Jan 6, 2026
+- `org.apache.zookeeper/zookeeper@3.6.3` -> 3.8.3 (CVE-2023-44981)
+- Modified `sysds.Dockerfile` to build locally from filesystem instead of pulling latest (which doesn't contain the changes yet)
+
+#### Jan 11, 2026
+- kerby → 2.0.3 (CVE-2023-25613)
+- avro → 1.11.4 (CVE-2024-47561)
+
+#### Jan 14, 2026
+- `org.apache.zookeeper/zookeeper@3.8.3` -> 3.9.4 (CVE-2024-23944)
+- explicit `io.nety/netty-handler@4.1.118.Final` (CVE-2023-3678, CVE-2025-11226, CVE-2024-12798, CVE-2024-12801)
+
+#### Jan 15, 2026
+- json-smart → 2.4.9 (CVE-2023-1370)
+- jettison → 1.5.4 (CVE-2023-1436)
+- snappy-java → 1.1.10.4 (CVE-2023-43642)
+- nimbus-jose-jwt → 9.37.4 (CVE-2023-52428)
+- logback → 1.2.13 (CVE-2023-6378)
+- aircompressor → 0.27 (CVE-2024-36114)
+- commons-io → 2.14.0 (CVE-2024-47554)
+- protobuf-java → 3.25.5 (CVE-2024-7254)
+- jackson-core → 2.15.0 (CVE-2025-52999)
+
+#### Jan 16, 2026
+- netty → 4.1.124.Final (CVE-2023-44487, CVE-2025-55163)
+- xnio-api → 3.8.14.Final (CVE-2023-5685)
+- dnsjava → 3.6.0 (CVE-2024-25638)
+- jetty → 9.4.57.v20241219 (CVE-2024-6763)
+- commons-beanutils → 1.11.0 (CVE-2025-48734)
+
+#### Jan 21, 2026
+- `org.eclipse.jetty/jetty-http@9.4.57.v20241219` -> 12.0.12 (CVE-2024-6763)
+- explicit `org.apache.commons/commons-compress@1.26.0` (CVE-2024-26308, CVE-2024-25710, CVE-2023-42503)
+- explicit `org.apache.commons/commons-configuration2@2.10.1` (CVE-2024-29133, CVE-2024-29131)
+- explicit `org.apache.hadoop.thirdparty/hadoop-shaded-guava@1.5.0`
+- explicit `com.google.guava/guava@33.5.0-jre`
+
+  --> (CVE-2023-2976, CVE-2020-8908)
+
+#### Jan 22, 2026
+- `io.netty/netty-codec-http@4.1.124.Final` -> 4.1.129.Final
+- `io.netty/netty-codec-smtp@4.1.124.Final` -> 4.1.129.Final
+- `io.netty/netty-codec@4.1.124.Final` -> 4.1.129.Final
+
+--> (CVE-2025-67735, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419)
+- `org.apache.logging.log4j/log4j-core@2.22.1` -> 2.25.3 (CVE-2025-68161)
+
+#### Jan 23, 2026
+- explicit `org.apache.commons/commons-lang3@3.18.0` (CVE-2025-48924)
+- explicit `org.apache.spark/spark-network-common_2.12@3.5.2` (CVE-2025-55039)
+- `org.apache.hadoop/hadoop-common@3.3.6` -> 3.4.2 (CVE-2024-23454) \
+  Version 3.4.0 is enough for CVE-2024-23454, but generates two other CVEs which are solved with upgraded version 3.4.2
+- `org.apache.hadoop/hadoop-hdfs@3.3.6` -> 3.4.2 (CVE-2019-20444) \
+  Import changes: `org.jboss.netty.*` → `io.netty.*`
+
+#### Jan 25, 2026
+- busybox → 1.36.1-r31 (CVE-2024-58251, CVE-2025-46394)
+- openssl → 3.3.5-r0 (CVE-2025-9230, CVE-2025-9231, CVE-2025-9232)
+
+
+#### Jan 29, 2026
+- Created `UNFIXED_VULNERABILITIES.md` documenting 16 remaining CVEs
+
+## Appendix
+
+### Detailed example: `org.apache.zookeeper/zookeeper`
+
+Here is the detail of how to detect and solve vulnerabilities once identified by zookeeper.
+
+CVE-2023-44981 Authorization Bypass Through User-Controlled Key
+- Analyse the vulnerable package
+
+  The current version is `3.6.3`. Scout recommends upgrading the package to `3.7.2`, `3.8.3`, or `3.9.1`. \
+  [Releases](https://zookeeper.apache.org/releases.html): `3.7.2` already reached its EoL.
+
+  Apache zookeeper is not directly imported in the project. The vulnerability is raised transitively by another dependecy. \
+  `mvn dependency:tree` shows all implicit dependencies (see the [appendix](README.md#output-of-mvn-dependencytree-before-any-change) for the output). \
+  The responsible dependency seems to be the apache spark-core package.
+
+  ```bash
+  [INFO] org.apache.systemds:systemds:jar:3.4.0-SNAPSHOT
+  [INFO] +- org.apache.spark:spark-core_2.12:jar:3.5.0:compile
+  [INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.6.3:compile
+  ```
+
+  From the documentation [Spark Project Core](https://mvnrepository.com/artifact/org.apache.spark/spark-core_2.13/4.0.1): Version `3.5.x` uses zookeeper `3.6.3`. \
+  The version `4.0.x` uses zookeeper `3.9.3` which still has a known vulnerability.
+
+  Spark-core `4.1.0` uses the latest version `3.9.4` of zookeeper.
+
+  By inspecting the jars, it has been found out that zookeeper is used by `hadoop-common` as well.
+- Ideas to solve Vulnerabilities
+  - Upgrade `spark-core`
+    - `3.4.x` doesn't use scala `2.12` anymore \
+      Update other dependencies (`spark-sql` etc) for the whole project to use scala `2.13`. \
+      scala `2.13` is not backwards compatible with `2.12`.
+    - No direct backwards compatibility between `4.0` and `3.5` \
+      [core migration guide](https://spark.apache.org/docs/latest/core-migration-guide.html#upgrading-from-core-35-to-40) \
+      This upgrade would require significant changes on the whole project.
+  - Make `spark-core` use zookeeper `3.8.3+`
+    - as `spark-core` is a package  using `zookeeper`, explicitely declaring another version of the zookeeper dependency will override spark's dependecy. As zookeeper is backwards compatible, this should not cause problems for the app
+    - `hadoop-common 3.3.6` also uses `zookeeper 3.6.3`.
+
+#### Solution
+
+As `org.apache.zookeeper/zookeeper@3.8.3` also has transitive vulnerabilities, it has been decided to upgrade to `3.9.4` which only has one known transitive vulnerability. \
+Zookeeper `3.9.4` will be used to solve all zookeeper-related vulnerabilities. `netty-handler` is also explicitly imported to solve a vulnerability related to the implicit version.
+
+**Changes** 
+- `pom.xml`
+  - explicit dependency \
+    `zookeeper 3.9.4` \
+    The vulnerability is solved by upgrading the version of `zookeeper`
+    ```xml
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler</artifactId>
+      <version>${netty.version}</version>
+    </dependency>
+    <!-- 
+    Explicit declaration to use 3.9.4 instead of implicit use of 3.6.3 by spark-core and hadoop-common.
+    Solves critical vulnerability CVE-2023-44981 in the docker image.
+    -->
+    <dependency>
+      <groupId>org.apache.zookeeper</groupId>
+      <artifactId>zookeeper</artifactId>
+      <version>3.9.4</version>
+      <exclusions>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-handler</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    ```
+  - exclude `zookeeper` from
+    - `spark-core`
+    - `hadoop-common`
+
+    Excluding `zookeeeper` from the dependencies prevents them from using a bundled older version and creating conflicts.
+    ```xml
+    <exclusion>
+      <groupId>org.apache.zookeeper</groupId>
+      <artifactId>zookeeper</artifactId>
+    </exclusion>
+    ```
+
+**Verification**
+- `docker scout` \
+  The critical vulnerability in `zookeeper` is not shown anymore
+- `mvn dependency:tree` \
+  shows a more recent version of zookeeper
+
+  No packet imported by zookeeper generates CVES.
+- building the project works \
+  `mvn clean package -P distribution`
diff --git a/docker/SYSTEMDS-3878/unfixed-vulnerabilities.md b/docker/SYSTEMDS-3878/unfixed-vulnerabilities.md
new file mode 100644
index 00000000000..fd5c3784952
--- /dev/null
+++ b/docker/SYSTEMDS-3878/unfixed-vulnerabilities.md
@@ -0,0 +1,214 @@
+<!-- 
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# 
+-->
+
+[Return](README.md#student-project-systemds-3878) to SYSTEMDS-3878.
+
+# Unfixed Vulnerabilities Report
+
+This document explains the remaining vulnerabilities in the `apache/systemds:latest` Docker image that cannot be resolved at this time due to upstream dependencies.
+
+## Overview
+
+| Severity | Count |
+|----------|-------|
+| Critical | 0 |
+| High | 6 |
+| Medium | 8 |
+| Low | 1 |
+| Unspecified | 1 |
+
+---
+
+## Transitive Maven Dependencies (Spark/Hadoop Ecosystem)
+
+These vulnerabilities originate from dependencies managed by Apache Spark and Hadoop. Upgrading them independently would break compatibility with the Spark runtime.
+
+### 1. protobuf-java 3.7.1
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2024-7254 | High | 8.7 | 3.25.5 |
+| CVE-2022-3510 | High | 7.5 | 3.16.3 |
+| CVE-2022-3509 | High | 7.5 | 3.16.3 |
+| CVE-2021-22569 | High | 7.5 | 3.16.1 |
+| CVE-2022-3171 | Medium | 5.7 | 3.16.3 |
+| CVE-2021-22570 | Medium | 5.5 | 3.15.0 |
+
+**Reason:** This is a transitive dependency bundled within Apache Spark's runtime JARs. Although SystemDS's `pom.xml` pins `<protobuf.version>3.25.5</protobuf.version>`, the Docker image still contains protobuf 3.7.1 because:
+
+1. **Spark bundles protobuf internally:** Spark 3.5.x includes protobuf classes within its shaded JARs. Maven dependency management cannot override classes already packaged inside Spark's uber-JARs.
+
+2. **Upgrading Spark would fix this:** Spark 4.0+ includes protobuf 3.25.x ([SPARK-49497](https://issues.apache.org/jira/browse/SPARK-49497)), which resolves all these CVEs.
+
+3. **But Spark 4.0 requires Scala 2.13:** Spark 4.0 dropped support for Scala 2.12 entirely. SystemDS currently uses Scala 2.12.18.
+
+4. **Scala 2.12 → 2.13 migration is non-trivial:** This requires recompiling all Scala code, updating the collections API usage, and ensuring all dependencies have Scala 2.13 builds available. This is a significant development effort that SystemDS upstream has not yet completed.
+
+**Dependency chain preventing the fix:**
+```
+protobuf 3.25.5 fix
+    └── requires Spark 4.0+
+            └── requires Scala 2.13
+                    └── requires SystemDS codebase migration (not yet done upstream)
+```
+
+**References:**
+- [SPARK-49497: Upgrade protobuf-java to 3.25.4](https://issues.apache.org/jira/browse/SPARK-49497)
+- [Spark 4.0 Release Notes - Scala 2.12 dropped](https://spark.apache.org/releases/spark-release-4-0-0.html)
+- [CVE-2024-7254 Advisory](https://advisories.gitlab.com/pkg/maven/com.google.protobuf/protobuf-java/CVE-2024-7254)
+
+---
+
+### 2. jetty-server 9.4.52.v20230823
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2024-13009 | High | 7.2 | 9.4.57 |
+| CVE-2024-8184 | Medium | 5.9 | 9.4.56 |
+
+**Reason:** Jetty 9.4.x is embedded within Apache Spark 3.x for the Spark UI and REST APIs. Although SystemDS's `pom.xml` pins `<jetty.version>9.4.57.v20241219</jetty.version>`, Spark bundles Jetty internally in its distribution JARs.
+
+1. **Jetty 9.4 is EOL:** Community support ended June 1, 2022; security support ended February 19, 2025.
+
+2. **Spark 4.0 uses Jetty 11+:** Spark 4.0 migrated from Jetty 9.4.56 to 11.0.24, fixing these CVEs.
+
+3. **Same Scala 2.13 blocker:** Upgrading to Spark 4.0 to get the newer Jetty requires Scala 2.13, which SystemDS doesn't yet support.
+
+**Dependency chain preventing the fix:**
+```
+Jetty 11+ fix
+    └── requires Spark 4.0+ (javax → jakarta migration)
+            └── requires Scala 2.13
+                    └── requires SystemDS codebase migration (not yet done upstream)
+```
+
+**References:**
+- [Endoflife: Eclipse Jetty](https://endoflife.date/eclipse-jetty)
+- [Spark 4.0 Release Notes - Jetty upgraded](https://spark.apache.org/releases/spark-release-4-0-0.html)
+- [CVE-2024-13009 Jetty Announcement](https://www.eclipse.org/lists/jetty-announce/msg00197.html)
+
+---
+
+### 3. jetty-servlets 9.4.52.v20230823
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2024-9823 | Medium | 5.3 | 9.4.54 |
+
+**Reason:** Is (same as jetty-server) managed by Apache Spark's dependency tree. The DoSFilter vulnerability affects session tracking and can cause OutOfMemory errors under attack conditions.
+
+**References:**
+- [CVE-2024-9823 GitHub Advisory](https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h)
+
+---
+
+### 4. jetty-http 9.4.52.v20230823
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2024-6763 | Medium | 6.3 | 12.0.12 |
+
+**Reason:** The `HttpURI` class validation issue is only fully fixed in **Jetty 12.0.12**. This CVE cannot be fixed because:
+
+1. **Spark 3.5.x uses Jetty 9.4.x** - bundled internally, cannot be overridden.
+
+2. **Spark 4.0 uses Jetty 11.0.24** - still does NOT include the fix for CVE-2024-6763.
+
+3. **Fix requires Jetty 12.0.12** - No current Spark version uses Jetty 12.x yet.
+
+**References:**
+- [CVE-2024-6763 GitHub Advisory](https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh)
+- [Spark 4.0 Release Notes - Jetty 11](https://spark.apache.org/releases/spark-release-4-0-0.html)
+- [Spark 3.5 Release Notes - Jetty 9.4](https://spark.apache.org/releases/spark-release-3-5-0.html)
+
+---
+
+### 5. jackson-core 2.13.4
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2025-52999 | High | 8.7 | 2.15.0 |
+
+**Reason:** The vulnerable jackson-core 2.13.4 is **shaded inside `parquet-jackson-1.13.1.jar`**. The classes cannot be excluded via Maven dependency management.
+
+**Why it cannot be fixed:**
+1. The main application correctly uses jackson-core 2.15.0 (the shaded copy is isolated inside Parquet).
+2. Upgrading to Parquet 1.14.x (which bundles jackson 2.17.0) was attempted but did not fix the CVE.
+3. Upgrading Spark to 4.0 would fix this, but requires Scala 2.13 migration.
+
+**References:**
+- [CVE-2025-52999 NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-52999)
+- [Jackson-core PR #943](https://github.com/FasterXML/jackson-core/pull/943)
+- [Spark 4.0 Release Notes - Parquet 1.15.2](https://spark.apache.org/releases/spark-release-4-0-0.html)
+
+---
+
+### 6. guava 14.0.1
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2018-10237 | Medium | 5.9 | 24.1.1 |
+| CVE-2023-2976 | Medium | 5.5 | 32.0.0 |
+| CVE-2020-8908 | Low | 3.3 | 32.0.0 |
+
+**Reason:** Guava 14.0.1 is an extremely old version pulled in as a transitive dependency from the Hadoop ecosystem. Hadoop has historically struggled with Guava version conflicts—different components require different versions. The solution implemented in Hadoop 3.3+ is to shade Guava into a separate namespace ([HADOOP-14284](https://issues.apache.org/jira/browse/HADOOP-14284)), but this doesn't help when older unshaded versions are still pulled in transitively.
+
+**References:**
+- [HADOOP-14284: Shade Guava everywhere](https://issues.apache.org/jira/browse/HADOOP-14284)
+- [HADOOP-17288: Use shaded guava from thirdparty](https://issues.apache.org/jira/browse/HADOOP-17288)
+- [HADOOP-16924: Shade & Update guava to 29.0-jre](https://issues.apache.org/jira/browse/HADOOP-16924)
+
+---
+
+## Alpine Linux Base Image Packages
+
+These vulnerabilities are in Alpine Linux system packages. Patched versions must come from Alpine maintainers.
+
+### 7. busybox 1.36.1-r31
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2025-60876 | Medium | 6.5 | **Not Fixed** |
+
+**Reason:** CRLF injection vulnerability in BusyBox wget through version 1.37. Allows attackers to inject control bytes into HTTP request-targets, enabling request line splitting and header injection. No patched version is available in the Alpine Linux 3.20 repository yet.
+
+**References:**
+- [CVE-2025-60876 NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-60876)
+- [Alpine Linux Security Tracker](https://security.alpinelinux.org/vuln/CVE-2025-60876)
+- [Docker Scout CVE-2025-60876](https://scout.docker.com/v/CVE-2025-60876)
+
+---
+
+### 8. lz4 1.9.4-r5
+
+| CVE | Severity | CVSS | Fixed In |
+|-----|----------|------|----------|
+| CVE-2025-62813 | Unspecified | - | **REJECTED** |
+
+**Reason:** This CVE has been **withdrawn and marked as rejected** by NIST. The CNA determined after investigation that this was not actually a security issue. The originally reported NULL pointer check issue in `LZ4F_createCDict_advanced` was not exploitable. **This can be safely ignored.**
+
+**References:**
+- [CVE-2025-62813 NVD Entry (Rejected)](https://nvd.nist.gov/vuln/detail/CVE-2025-62813)
+
+---
+
+*Last updated: January 28, 2026*  
+*Source: Docker Scout vulnerability scan (`scan-after-fixes/README.md`)*
diff --git a/docker/sysds.Dockerfile b/docker/sysds.Dockerfile
index 2238aa878a8..d711bc841a8 100644
--- a/docker/sysds.Dockerfile
+++ b/docker/sysds.Dockerfile
@@ -81,7 +81,9 @@ FROM alpine:3.20@sha256:de4fe7064d8f98419ea6b49190df1abbf43450c1702eeb864fe9ced4
 RUN apk add --no-cache bash \
     snappy \
     lz4 \
-    zlib
+    zlib \
+    && apk update \
+    && apk upgrade openssl busybox busybox-binsh ssl_client libcrypto3 libssl3
 
 ENV JAVA_HOME=/usr/lib/jvm/jdk-17.0.15+6
 ENV PATH=$JAVA_HOME/bin:$PATH
diff --git a/pom.xml b/pom.xml
index 08669868aa1..10c6c42bec7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,8 +40,12 @@
 
 	<properties>
 		<hadoop.version>3.3.6</hadoop.version>
+		<!-- Securitiy fix: io.netty/netty@3.10.6.Final -->
+		<hadoop-hdfs.version>3.4.2</hadoop-hdfs.version>
+		<!-- low 2.0: CVE-2024-23454 Improper Privilege Management -->
+		<hadoop-common.version>3.4.2</hadoop-common.version>
 		<antlr.version>4.8</antlr.version>
-		<protobuf.version>3.23.4</protobuf.version>
+		<protobuf.version>3.25.5</protobuf.version>  <!-- CVE-2024-7254 -->
 		<spark.version>3.5.0</spark.version>
 		<scala.version>2.12.18</scala.version>
 		<scala.binary.version>2.12</scala.binary.version>
@@ -52,6 +56,12 @@
 		<jcuda.version>12.6.0</jcuda.version>
 		<slf4j.version>2.0.11</slf4j.version>
 		<log4j.version>2.22.1</log4j.version>
+		<!-- Security fix: CVE-2025-68161 - pin log4j-core to 2.25.3 -->
+		<log4j-core.version>2.25.3</log4j-core.version>
+		<!-- Security fix: CVE-2024-47561 - pin avro to 1.11.4 -->
+		<avro.version>1.11.4</avro.version>
+		<!-- Security fix: CVE-2023-25613 - pin kerby to 2.0.3 -->
+		<kerby.version>2.0.3</kerby.version>
 		<maven-clean-plugin.version>3.2.0</maven-clean-plugin.version>
 		<maven-surefire-plugin.version>3.0.0</maven-surefire-plugin.version>
         <maven-checkstyle-plugin.version>3.3.1</maven-checkstyle-plugin.version>
@@ -69,7 +79,7 @@
 		<!-- aws-java-sdk-bundle.version>1.12.367</aws-java-sdk-bundle.version -->
 		<!-- Set java compile level via argument, ex: 1.8 1.9 10 11-->
 		<java.level>17</java.level>
-		<java.version>{java.level}</java.version>
+		<java.version>${java.level}</java.version>
 		<!-->Testing settings<!-->
 		<maven.test.skip>false</maven.test.skip>
 		<test>org.apache.sysds.test.usertest.**</test>
@@ -87,15 +97,32 @@
 
 		<!-- Dependent on Spark open to access deprecated api components from <= Java 11. Should be removed once Spark updates fully to Java 17 -->
 		<jvm.addopens>
-			--add-opens=java.base/java.nio=ALL-UNNAMED 
-			--add-opens=java.base/java.io=ALL-UNNAMED 
-			--add-opens=java.base/java.util=ALL-UNNAMED 
-			--add-opens=java.base/java.lang=ALL-UNNAMED 
+			--add-opens=java.base/java.nio=ALL-UNNAMED
+			--add-opens=java.base/java.io=ALL-UNNAMED
+			--add-opens=java.base/java.util=ALL-UNNAMED
+			--add-opens=java.base/java.lang=ALL-UNNAMED
 			--add-opens=java.base/java.lang.ref=ALL-UNNAMED
 			--add-opens=java.base/java.util.concurrent=ALL-UNNAMED
 			--add-opens=java.base/sun.nio.ch=ALL-UNNAMED
 			--add-modules=jdk.incubator.vector
 		</jvm.addopens>
+
+		<!-- Security fixes for high-severity CVEs (transitive dependencies) -->
+		<commons-io.version>2.14.0</commons-io.version>          <!-- CVE-2024-47554 -->
+		<jettison.version>1.5.4</jettison.version>               <!-- CVE-2023-1436 -->
+		<snappy-java.version>1.1.10.4</snappy-java.version>      <!-- CVE-2023-43642, CVE-2023-34453/4/5 -->
+		<logback.version>1.2.13</logback.version>                <!-- CVE-2023-6378 -->
+		<jackson.version>2.15.0</jackson.version>                <!-- CVE-2025-52999 -->
+		<json-smart.version>2.4.9</json-smart.version>           <!-- CVE-2023-1370 -->
+		<nimbus-jose-jwt.version>9.37.4</nimbus-jose-jwt.version><!-- CVE-2023-52428, CVE-2025-53864 -->
+		<aircompressor.version>0.27</aircompressor.version>      <!-- CVE-2024-36114 -->
+		<netty.version>4.1.124.Final</netty.version>             <!-- CVE-2025-55163, CVE-2023-44487 -->
+		<netty-codec.version>4.1.129.Final</netty-codec.version> <!-- CVE-2025-67735, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419 -->
+		<jetty.version>9.4.57.v20241219</jetty.version>          <!-- CVE-2024-6763 -->
+		<jetty-http.version>12.0.12</jetty-http.version>         <!-- CVE-2024-6763 -->
+		<xnio.version>3.8.14.Final</xnio.version>                <!-- CVE-2023-5685 -->
+		<commons-beanutils.version>1.11.0</commons-beanutils.version>  <!-- CVE-2025-48734 -->
+		<dnsjava.version>3.6.0</dnsjava.version>                 <!-- CVE-2024-25638 -->
 	</properties>
 
 	<repositories>
@@ -108,6 +135,198 @@
 		</repository>
 	</repositories>
 
+	<!-- Dependency management to pin transitive dependencies for security fixes -->
+	<dependencyManagement>
+		<dependencies>
+			<!-- CVE-2024-47554: Denial of service in Commons IO -->
+			<dependency>
+				<groupId>commons-io</groupId>
+				<artifactId>commons-io</artifactId>
+				<version>${commons-io.version}</version>
+			</dependency>
+			<!-- CVE-2023-1436: Stack overflow in Jettison -->
+			<dependency>
+				<groupId>org.codehaus.jettison</groupId>
+				<artifactId>jettison</artifactId>
+				<version>${jettison.version}</version>
+			</dependency>
+			<!-- CVE-2023-43642, CVE-2023-34453/4/5: Multiple vulnerabilities in snappy-java -->
+			<dependency>
+				<groupId>org.xerial.snappy</groupId>
+				<artifactId>snappy-java</artifactId>
+				<version>${snappy-java.version}</version>
+			</dependency>
+			<!-- CVE-2023-6378: Deserialization vulnerability in Logback -->
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<!-- CVE-2025-52999: Stack overflow in Jackson -->
+			<dependency>
+				<groupId>com.fasterxml.jackson.core</groupId>
+				<artifactId>jackson-core</artifactId>
+				<version>${jackson.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>com.fasterxml.jackson.core</groupId>
+				<artifactId>jackson-databind</artifactId>
+				<version>${jackson.version}</version>
+			</dependency>
+			<!-- CVE-2023-1370: Stack overflow in json-smart -->
+			<dependency>
+				<groupId>net.minidev</groupId>
+				<artifactId>json-smart</artifactId>
+				<version>${json-smart.version}</version>
+			</dependency>
+			<!-- CVE-2023-52428: Resource consumption in nimbus-jose-jwt -->
+			<dependency>
+				<groupId>com.nimbusds</groupId>
+				<artifactId>nimbus-jose-jwt</artifactId>
+				<version>${nimbus-jose-jwt.version}</version>
+			</dependency>
+			<!-- CVE-2024-36114: Out-of-bounds read in aircompressor -->
+			<dependency>
+				<groupId>io.airlift</groupId>
+				<artifactId>aircompressor</artifactId>
+				<version>${aircompressor.version}</version>
+			</dependency>
+			<!-- CVE-2024-47561: Deserialization vulnerability in Apache Avro -->
+			<dependency>
+				<groupId>org.apache.avro</groupId>
+				<artifactId>avro</artifactId>
+				<version>${avro.version}</version>
+			</dependency>
+			<!-- CVE-2023-25613: LDAP Injection vulnerability in Apache Kerby -->
+			<dependency>
+				<groupId>org.apache.kerby</groupId>
+				<artifactId>kerb-admin</artifactId>
+				<version>${kerby.version}</version>
+			</dependency>
+			<!-- CVE-2025-55163, CVE-2023-44487: HTTP/2 vulnerabilities in Netty -->
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec-http2</artifactId>
+				<version>${netty.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec-http</artifactId>
+				<version>${netty-codec.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec-smtp</artifactId>
+				<version>${netty-codec.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-codec</artifactId>
+				<version>${netty-codec.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-common</artifactId>
+				<version>${netty.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>io.netty</groupId>
+				<artifactId>netty-handler</artifactId>
+				<version>${netty.version}</version>
+			</dependency>
+			<!-- CVE-2024-6763: HTTP request smuggling in Jetty -->
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-server</artifactId>
+				<version>${jetty.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-http</artifactId>
+				<version>${jetty-http.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-webapp</artifactId>
+				<version>${jetty.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-xml</artifactId>
+				<version>${jetty.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>org.eclipse.jetty</groupId>
+				<artifactId>jetty-servlets</artifactId>
+				<version>${jetty.version}</version>
+			</dependency>
+			<!-- CVE-2023-5685: Resource consumption in XNIO -->
+			<dependency>
+				<groupId>org.jboss.xnio</groupId>
+				<artifactId>xnio-api</artifactId>
+				<version>${xnio.version}</version>
+			</dependency>
+			<!-- CVE-2025-48734: Access control in Commons BeanUtils -->
+			<dependency>
+				<groupId>commons-beanutils</groupId>
+				<artifactId>commons-beanutils</artifactId>
+				<version>${commons-beanutils.version}</version>
+			</dependency>
+			<!-- CVE-2024-25638: DNS response validation in dnsjava -->
+			<dependency>
+				<groupId>dnsjava</groupId>
+				<artifactId>dnsjava</artifactId>
+				<version>${dnsjava.version}</version>
+			</dependency>
+			<!-- CVE-2024-7254: Stack overflow in protobuf-java (transitive override) -->
+			<dependency>
+				<groupId>com.google.protobuf</groupId>
+				<artifactId>protobuf-java</artifactId>
+				<version>${protobuf.version}</version>
+			</dependency>
+			<!-- CVE-2024-26308, CVE-2024-25710, CVE-2023-42503 -->
+			<dependency>
+				<groupId>org.apache.commons</groupId>
+				<artifactId>commons-compress</artifactId>
+				<version>1.26.0</version>
+			</dependency>
+			<!-- CVE-2024-29133, CVE-2024-29131 -->
+			<dependency>
+				<groupId>org.apache.commons</groupId>
+				<artifactId>commons-configuration2</artifactId>
+				<version>2.10.1</version>
+			</dependency>
+			<!-- CVE-2023-2976, CVE-2020-8908 -->
+			<dependency>
+				<groupId>org.apache.hadoop.thirdparty</groupId>
+				<artifactId>hadoop-shaded-guava</artifactId>
+				<version>1.5.0</version>
+			</dependency>
+			<dependency>
+				<groupId>com.google.guava</groupId>
+				<artifactId>guava</artifactId>
+				<version>33.5.0-jre</version>
+			</dependency>
+			<!-- CVE-2025-48924: Uncontrolled Recursion -->
+			<dependency>
+				<groupId>org.apache.commons</groupId>
+				<artifactId>commons-lang3</artifactId>
+				<version>3.18.0</version>
+			</dependency>
+			<!-- CVE-2025-55039: Inadequate Encryption Strength -->
+			<dependency>
+				<groupId>org.apache.spark</groupId>
+				<artifactId>spark-network-common_2.12</artifactId>
+				<version>3.5.2</version>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
 	<scm>
 		<developerConnection>scm:git:https://github.com/apache/systemds.git</developerConnection>
 		<tag>HEAD</tag>
@@ -394,7 +613,7 @@
                 </configuration>
             </plugin>
 
-            <plugin>
+			<plugin>
 				<!-- unit tests -->
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
@@ -547,7 +766,6 @@
 				</executions>
 			</plugin>
 		</plugins>
-
 	</build>
 
 	<profiles>
@@ -827,7 +1045,6 @@
 					</plugin>
 				</plugins>
 			</build>
-
 		</profile>
 
 		<profile>
@@ -969,7 +1186,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcublas</artifactId>
@@ -983,7 +1199,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusparse</artifactId>
@@ -997,7 +1212,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusolver</artifactId>
@@ -1011,7 +1225,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcudnn</artifactId>
@@ -1025,7 +1238,6 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<!-- for all platforms, to be included in the extra jar -->
 		<dependency>
 			<groupId>org.jcuda</groupId>
@@ -1034,7 +1246,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcublas-natives</artifactId>
@@ -1042,7 +1253,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusparse-natives</artifactId>
@@ -1050,7 +1260,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusolver-natives</artifactId>
@@ -1058,7 +1267,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcudnn-natives</artifactId>
@@ -1066,7 +1274,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcuda-natives</artifactId>
@@ -1074,7 +1281,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcublas-natives</artifactId>
@@ -1082,7 +1288,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusparse-natives</artifactId>
@@ -1090,7 +1295,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcusolver-natives</artifactId>
@@ -1098,7 +1302,6 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jcuda</groupId>
 			<artifactId>jcudnn-natives</artifactId>
@@ -1106,6 +1309,22 @@
 			<version>${jcuda.version}</version>
 			<scope>${jcuda.scope}</scope>
 		</dependency>
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-handler</artifactId>
+			<version>${netty.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>org.apache.zookeeper</groupId>
+			<artifactId>zookeeper</artifactId>
+			<version>3.9.4</version>
+			<exclusions>
+				<exclusion>
+					<groupId>io.netty</groupId>
+					<artifactId>netty-handler</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.spark</groupId>
 			<artifactId>spark-core_${scala.binary.version}</artifactId>
@@ -1171,9 +1390,39 @@
 					<groupId>com.google.protobuf</groupId>
 					<artifactId>protobuf-java</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.zookeeper</groupId>
+					<artifactId>zookeeper</artifactId>
+				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.spark</groupId>
 			<artifactId>spark-sql_${scala.binary.version}</artifactId>
@@ -1215,9 +1464,35 @@
 					<groupId>org.slf4j</groupId>
 					<artifactId>jul-to-slf4j</artifactId>
 				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.spark</groupId>
 			<artifactId>spark-mllib_${scala.binary.version}</artifactId>
@@ -1259,13 +1534,39 @@
 					<groupId>org.slf4j</groupId>
 					<artifactId>jul-to-slf4j</artifactId>
 				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.hadoop</groupId>
 			<artifactId>hadoop-common</artifactId>
-			<version>${hadoop.version}</version>
+			<version>${hadoop-common.version}</version>
 			<exclusions>
 				<exclusion>
 					<groupId>javax.servlet</groupId>
@@ -1295,13 +1596,43 @@
 					<groupId>org.slf4j</groupId>
 					<artifactId>jul-to-slf4j</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.apache.zookeeper</groupId>
+					<artifactId>zookeeper</artifactId>
+				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.hadoop</groupId>
 			<artifactId>hadoop-hdfs</artifactId>
-			<version>${hadoop.version}</version>
+			<version>${hadoop-hdfs.version}</version>
 			<exclusions>
 				<exclusion>
 					<groupId>javax.servlet</groupId>
@@ -1331,9 +1662,35 @@
 					<groupId>org.slf4j</groupId>
 					<artifactId>jul-to-slf4j</artifactId>
 				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.hadoop</groupId>
 			<artifactId>hadoop-client</artifactId>
@@ -1367,9 +1724,35 @@
 					<groupId>org.slf4j</groupId>
 					<artifactId>jul-to-slf4j</artifactId>
 				</exclusion>
+				<!-- Exclude old guava to use managed version -->
+				<exclusion>
+					<groupId>com.google.guava</groupId>
+					<artifactId>guava</artifactId>
+				</exclusion>
+				<!-- Exclude old jackson to use managed version -->
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+				<!-- Exclude old jetty to use managed version -->
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-server</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-http</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>org.eclipse.jetty</groupId>
+					<artifactId>jetty-servlets</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<!--dependency>
 			<groupId>org.apache.hadoop</groupId>
 			<artifactId>hadoop-aws</artifactId>
@@ -1381,7 +1764,6 @@
 			<artifactId>aws-java-sdk-bundle</artifactId>
 			<version>${aws-java-sdk-bundle.version}</version>
 		</dependency-->
-
 		<dependency>
 			<groupId>commons-logging</groupId>
 			<artifactId>commons-logging</artifactId>
@@ -1409,46 +1791,39 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-math3</artifactId>
 			<version>3.4.1</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.wink</groupId>
 			<artifactId>wink-json4j</artifactId>
 			<version>1.4</version>
 		</dependency>
-
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
 			<version>2.15.2</version>
 		</dependency>
-
 		<dependency>
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>
 			<version>4.13.1</version>
 			<scope>provided</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.openjdk.jol</groupId>
 			<artifactId>jol-core</artifactId>
 			<version>0.10</version>
 			<scope>test</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.mockito</groupId>
 			<artifactId>mockito-core</artifactId>
 			<version>5.1.0</version>
 			<scope>test</scope>
 		</dependency>
-
 		<dependency>
 			<!--Used for annotations in tests to execute tests in thread safe manner-->
 			<groupId>com.github.stephenc.jcip</groupId>
@@ -1456,7 +1831,6 @@
 			<version>1.0-1</version>
 			<scope>test</scope>
 		</dependency>
-
 		<!-- fast java compiler for codegen, consistent version w/ spark -->
 		<dependency>
 			<groupId>org.codehaus.janino</groupId>
@@ -1464,7 +1838,6 @@
 			<version>3.1.9</version>
 			<scope>provided</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.antlr</groupId>
 			<artifactId>antlr4</artifactId>
@@ -1477,20 +1850,17 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.antlr</groupId>
 			<artifactId>antlr4-runtime</artifactId>
 			<version>${antlr.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.derby</groupId>
 			<artifactId>derby</artifactId>
 			<version>10.14.2.0</version>
 			<scope>provided</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>io.netty</groupId>
 			<artifactId>netty-all</artifactId>
@@ -1507,49 +1877,41 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>net.sf.py4j</groupId>
 			<artifactId>py4j</artifactId>
 			<version>0.10.9</version>
 		</dependency>
-
 		<dependency>
 			<groupId>com.google.protobuf</groupId>
 			<artifactId>protobuf-java</artifactId>
 			<version>${protobuf.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>com.google.protobuf</groupId>
 			<artifactId>protobuf-java-util</artifactId>
 			<version>${protobuf.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-reload4j</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>jul-to-slf4j</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>jcl-over-slf4j</artifactId>
 			<version>${slf4j.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-api</artifactId>
@@ -1565,13 +1927,11 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
-
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
 			<artifactId>log4j-core</artifactId>
-			<version>${log4j.version}</version>
+			<version>${log4j-core.version}</version>
 		</dependency>
-
 		<dependency>
 			<groupId>ch.randelshofer</groupId>
 			<artifactId>fastdoubleparser</artifactId>
diff --git a/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java b/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java
index ac4defcabd5..03af6cad162 100644
--- a/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java
+++ b/src/main/java/org/apache/sysds/runtime/compress/colgroup/ColGroupDDC.java
@@ -69,7 +69,9 @@
 import org.apache.sysds.runtime.matrix.operators.RightScalarOperator;
 import org.apache.sysds.runtime.matrix.operators.ScalarOperator;
 import org.apache.sysds.runtime.matrix.operators.UnaryOperator;
-import org.jboss.netty.handler.codec.compression.CompressionException;
+// import org.jboss.netty.handler.codec.compression.CompressionException;
+import io.netty.handler.codec.compression.CompressionException;
+// CVE-2019-20444: org.jboss.netty replaced by io.netty in hadoop-hdfs 3.4.2
 
 /**
  * Class to encapsulate information about a column group that is encoded with dense dictionary encoding (DDC).