Search
Search Results (5 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-33251 | 2 Lightbend, Linux | 2 Akka Http, Linux Kernel | 2025-01-31 | 4.7 Medium |
| When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946. | ||||
| CVE-2023-31442 | 1 Lightbend | 2 Akka Actor, Akka Discovery | 2025-01-27 | 7.5 High |
| In Lightbend Akka before 2.8.1, the async-dns resolver (used by Discovery in DNS mode and transitively by Cluster Bootstrap) uses predictable DNS transaction IDs when resolving DNS records, making DNS resolution subject to poisoning by an attacker. If the application performing discovery does not validate (e.g., via TLS) the authenticity of the discovered service, this may result in exfiltration of application data (e.g., persistence events may be published to an unintended Kafka broker). If such validation is performed, then the poisoning constitutes a denial of access to the intended service. This affects Akka 2.5.14 through 2.8.0, and Akka Discovery through 2.8.0. | ||||
| CVE-2021-23339 | 1 Lightbend | 1 Akka-http | 2024-11-21 | 5 Medium |
| This affects all versions before 10.1.14 and from 10.2.0 to 10.2.4 of package com.typesafe.akka:akka-http-core. It allows multiple Transfer-Encoding headers. | ||||
| CVE-2018-16131 | 1 Lightbend | 1 Akka Http | 2024-11-21 | N/A |
| The decodeRequest and decodeRequestWith directives in Lightbend Akka HTTP 10.1.x through 10.1.4 and 10.0.x through 10.0.13 allow remote attackers to cause a denial of service (memory consumption and daemon crash) via a ZIP bomb. | ||||
| CVE-2018-16115 | 1 Lightbend | 1 Akka | 2024-11-21 | N/A |
| Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modification because of an RNG error. A random number generator is used in Akka Remoting for TLS (both classic and Artery Remoting). Akka allows configuration of custom random number generators. For historical reasons, Akka included the AES128CounterSecureRNG and AES256CounterSecureRNG random number generators. The implementations had a bug that caused the generated numbers to be repeated after only a few bytes. The custom RNG implementations were not configured by default but examples in the documentation showed (and therefore implicitly recommended) using the custom ones. This can be used by an attacker to compromise the communication if these random number generators are enabled in configuration. It would be possible to eavesdrop, replay, or modify the messages sent with Akka Remoting/Cluster. | ||||
Page 1 of 1.