Security Deep Dive
doris
Security posture and CVE patch evidence from tracked releases.
4 actively-exploited dependency CVEs affects 4.1.1.
KEV-listed CVEs are confirmed exploited in the wild — patch urgently.
Versions by Severity
CVEs are attributed to tracked releases published before the patch release.
| Version | Published | C | H | M | L | KEV | Notes |
|---|---|---|---|---|---|---|---|
| 4.1.1 | 2026-05-25 | — | — | — | — | — | |
| 4.1.0 | 2026-04-16 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.5 | 2026-03-31 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.4-release | 2026-03-11 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.3-rc03 | 2026-01-30 | 3 | 1 | — | — | KEV 4 |
—
|
— Signed
— SLSA
— SBOM
✗ Security policy
Monthly cadence · 29d median
Active maintainer
Trust Signals — 2 of 9 Present
Evidence already collected from releases and repository metadata.
2/9
Present
Signed releases
Unknown
Latest release artifact signature
Latest release
—
SLSA provenance
Unknown
Attestation predicate level
Latest release
—
SBOM published
Unknown
GitHub SBOM API
Latest release
—
SECURITY.md
Absent
GitHub repository metadata
Repository policy
Checked: 21d ago
Release cadence: monthly
Present
29d median over recent releases
Release history
Latest release: 10d ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: today
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 10d ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 10d ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 10d ago
0.5/10
Security Score
Dependency Exposure
375 transitive dependency
CVEs found in the latest SBOM.
54 critical.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.00 / 0.5
Max EPSS 0.944
freshness
1.00 / 1.0
3d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.00 / 2.5
⚠ No direct scan — 54c/147h transitive CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
-1.50 / 1.5
KEV exposure detected
supply chain risk
-1.50 / 10.0
Risk 100.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
direct cves: clear
cve scan: estimated
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
0.0
10%
supply chain risk: 100.0
transitive cves: 54c/147h
Provenance trust
provenance trust
5.0
40%
scorecard score: estimated
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 3d
Operational risk
operational risk
0.0
10%
kev exposure: detected
epss max: 0.944
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 100.0/100
54
Transitive critical CVEs
4
KEV-transitive CVEs
81%
Dependency freshness
OpenSSF Badge
OpenSSF none
Badge indicates adherence to open-source best practices.
CVE Patch History
Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.
CVEs Patched by Year
Critical
High
Medium
Low
2026
4
| CVE | Severity | EPSS | Disclosed | Fixed in | Days to fix | vs Ecosystem Median | KEV |
|---|---|---|---|---|---|---|---|
| CVE-2021-44228 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2021-45046 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2022-22965 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2023-44487 | HIGH | 99%ile | — | 4.1.1 | — | — | KEV |
KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.
Dependency Vulnerabilities
1412 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
54
High
147
Medium
128
Low
24
Unknown
22
4 dependency vulnerabilities are in KEV.
CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.
Critical
54
High
147
Medium
128
Low
24
Unknown
22
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2012-4449 | critical | — | org.apache.hadoop:hadoop-client | — | 4.1.1 |
| CVE-2013-4366 | critical | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2015-7501 | critical | — | org.apache.commons:commons-collections4 | — | 4.1.1 |
| CVE-2016-1000031 | critical | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2017-15095 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2017-17485 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2017-5645 | critical | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2017-5929 | critical | — | ch.qos.logback:logback-classic | — | 4.1.1 |
| CVE-2017-7525 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-11307 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-14718 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-14719 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-14720 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-14721 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-17190 | critical | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2018-19360 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-19361 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-19362 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-7489 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-10202 | critical | — | org.codehaus.jackson:jackson-mapper-asl | — | 4.1.1 |
| CVE-2019-14379 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-14540 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-16335 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-16942 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-16943 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-17267 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-17531 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-17571 | critical | — | log4j:log4j | — | 4.1.1 |
| CVE-2019-20330 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-1953 | critical | — | org.apache.commons:commons-configuration2 | — | 4.1.1 |
| CVE-2020-22083 | critical | — | jsonpickle | — | 4.1.1 |
| CVE-2020-8840 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-9546 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-9547 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-9548 | critical | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2021-37404 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2021-44228 | critical | KEV | org.apache.logging.log4j:log4j-core | — | — |
| CVE-2021-45046 | critical | KEV | org.apache.logging.log4j:log4j-core | — | — |
| CVE-2022-22965 | critical | KEV | org.springframework.boot:spring-boot-starter-web | — | — |
| CVE-2022-23305 | critical | — | log4j:log4j | — | 4.1.1 |
| CVE-2022-23307 | critical | — | log4j:log4j | — | 4.1.1 |
| CVE-2022-25168 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2022-26612 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2022-33980 | critical | — | org.apache.commons:commons-configuration2 | — | 4.1.1 |
| CVE-2022-36944 | critical | — | org.scala-lang:scala-library | — | 4.1.1 |
| CVE-2022-42889 | critical | — | org.apache.commons:commons-text | — | 4.1.1 |
| CVE-2023-44981 | critical | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2024-36039 | critical | — | pymysql | — | 4.1.1 |
| CVE-2024-45337 | critical | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2024-47561 | critical | — | org.apache.avro:avro | — | 4.1.1 |
| CVE-2025-30065 | critical | — | org.apache.parquet:parquet-avro | — | 4.1.1 |
| CVE-2025-59059 | critical | — | org.apache.ranger:ranger-plugins-common | — | 4.1.1 |
| CVE-2026-33186 | critical | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| CVE-2026-33557 | critical | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2012-3376 | high | — | org.apache.hadoop:hadoop-client | — | 4.1.1 |
| CVE-2012-6153 | high | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2013-2186 | high | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2014-0050 | high | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2015-1772 | high | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2015-6420 | high | — | org.apache.commons:commons-collections4 | — | 4.1.1 |
| CVE-2015-7521 | high | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2016-3083 | high | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2016-3092 | high | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2016-4970 | high | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2016-5393 | high | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2016-6811 | high | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2017-3162 | high | — | org.apache.hadoop:hadoop-client | — | 4.1.1 |
| CVE-2017-3523 | high | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2017-5637 | high | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2017-7669 | high | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2017-8028 | high | — | org.springframework.ldap:spring-ldap-core | — | 4.1.1 |
| CVE-2018-11777 | high | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2018-12022 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-12023 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-12608 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2018-1320 | high | — | org.apache.thrift:libthrift | — | 4.1.1 |
| CVE-2018-3258 | high | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2018-5968 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2018-8012 | high | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2019-0205 | high | — | org.apache.thrift:libthrift | — | 4.1.1 |
| CVE-2019-10172 | high | — | org.codehaus.jackson:jackson-mapper-asl | — | 4.1.1 |
| CVE-2019-12086 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-13509 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2019-14439 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-14892 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-14893 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-16869 | high | — | io.netty:netty-all | — | 4.1.1 |
| CVE-2019-2435 | high | — | mysql-connector-python | 8.0.0 | 4.1.1 |
| CVE-2020-10650 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-10672 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-10673 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-10968 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-10969 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-11111 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-11112 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-11113 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-11612 | high | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2020-11619 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-11620 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-13949 | high | — | org.apache.thrift:libthrift | — | 4.1.1 |
| CVE-2020-14060 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-14061 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-14062 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-14195 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-24616 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-24750 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-25649 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-35490 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-35491 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-35728 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36179 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36180 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36181 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36182 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36183 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36184 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36185 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36186 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36187 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36188 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36189 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-36518 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2020-7238 | high | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2020-9492 | high | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2021-20190 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2021-22569 | high | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2021-33503 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2021-3749 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2021-4104 | high | — | log4j:log4j | — | 4.1.1 |
| CVE-2021-43565 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2021-43816 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2021-45105 | high | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2021-46877 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2022-23302 | high | — | log4j:log4j | — | 4.1.1 |
| CVE-2022-23648 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-25647 | high | — | com.google.code.gson:gson | — | 4.1.1 |
| CVE-2022-27191 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2022-27664 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2022-28948 | high | — | gopkg.in/yaml.v3 | 3.0.0 | 4.1.1 |
| CVE-2022-29970 | high | — | sinatra | 1.4 | 4.1.1 |
| CVE-2022-31159 | high | — | com.amazonaws:aws-java-sdk-s3 | — | 4.1.1 |
| CVE-2022-32149 | high | — | golang.org/x/text | 0.3.7 | 4.1.1 |
| CVE-2022-3509 | high | — | com.google.protobuf:protobuf-java | — | 4.1.1 |
| CVE-2022-3510 | high | — | com.google.protobuf:protobuf-java | — | 4.1.1 |
| CVE-2022-40898 | high | — | wheel | — | 4.1.1 |
| CVE-2022-41137 | high | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2022-41404 | high | — | org.ini4j:ini4j | 0.5.4 | 4.1.1 |
| CVE-2022-41723 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2022-42003 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2022-42004 | high | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2023-1428 | high | — | io.grpc:grpc-protobuf | — | 4.1.1 |
| CVE-2023-22102 | high | — | mysql:mysql-connector-java | 8.0.33 | 4.1.1 |
| CVE-2023-2253 | high | — | github.com/docker/distribution | 2.8.0+incompatible | 4.1.1 |
| CVE-2023-24998 | high | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2023-26464 | high | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2023-26464 | high | — | log4j:log4j | — | 4.1.1 |
| CVE-2023-32731 | high | — | io.grpc:grpc-protobuf | — | 4.1.1 |
| CVE-2023-34455 | high | — | org.xerial.snappy:snappy-java | — | 4.1.1 |
| CVE-2023-39325 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-39410 | high | — | org.apache.avro:avro | — | 4.1.1 |
| CVE-2023-43642 | high | — | org.xerial.snappy:snappy-java | — | 4.1.1 |
| CVE-2023-43804 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2023-6378 | high | — | ch.qos.logback:logback-classic | 1.2.10 | 4.1.1 |
| CVE-2024-21272 | high | — | mysql-connector-python | 8.0.0,< 8.3 | 4.1.1 |
| CVE-2024-25621 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2024-36114 | high | — | io.airlift:aircompressor | — | 4.1.1 |
| CVE-2024-45296 | high | — | path-to-regexp | 2.2.0 | 4.1.1 |
| CVE-2024-47554 | high | — | commons-io:commons-io | 2.4 | 4.1.1 |
| CVE-2024-51504 | high | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2024-7254 | high | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2025-22868 | high | — | golang.org/x/oauth2 | 0.0.0-20211005180243-6b3c2da341f1 | 4.1.1 |
| CVE-2025-22869 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-24970 | high | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2025-27152 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2025-46762 | high | — | org.apache.parquet:parquet-avro | — | 4.1.1 |
| CVE-2025-48976 | high | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2025-52999 | high | — | com.fasterxml.jackson.core:jackson-core | — | 4.1.1 |
| CVE-2025-54920 | high | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2025-55163 | high | — | io.grpc:grpc-netty-shaded | — | 4.1.1 |
| CVE-2025-65637 | high | — | github.com/sirupsen/logrus | 1.8.1 | 4.1.1 |
| CVE-2025-66418 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2025-66471 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2025-67721 | high | — | io.airlift:aircompressor | — | 4.1.1 |
| CVE-2026-21441 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2026-22731 | high | — | org.springframework.boot:spring-boot-starter-actuator | 3.5.7 | 4.1.1 |
| CVE-2026-22733 | high | — | org.springframework.boot:spring-boot-starter-actuator | 3.5.7 | 4.1.1 |
| CVE-2026-24049 | high | — | wheel | — | 4.1.1 |
| CVE-2026-24281 | high | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2026-24308 | high | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2026-25639 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-32274 | high | — | black | — | 4.1.1 |
| CVE-2026-34040 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2026-35554 | high | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2026-40972 | high | — | org.springframework.boot:spring-boot-devtools | — | 4.1.1 |
| CVE-2026-42033 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42035 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42043 | high | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42198 | high | — | org.postgresql:postgresql | 42.7.3 | 4.1.1 |
| CVE-2026-43869 | high | — | org.apache.thrift:libthrift | 0.16.0 | 4.1.1 |
| GHSA-82j2-j2ch-gfr8 | high | — | rustls-webpki | 0.103.10 | 4.1.1 |
| GHSA-m425-mq94-257g | high | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| CVE-2011-1498 | medium | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2014-0193 | medium | — | io.netty:netty-all | — | 4.1.1 |
| CVE-2014-0229 | medium | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2014-3488 | medium | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2014-3577 | medium | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2014-3627 | medium | — | org.apache.hadoop:hadoop-client | — | 4.1.1 |
| CVE-2015-1776 | medium | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2015-2575 | medium | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2015-3627 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2015-3631 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2015-5262 | medium | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2016-5001 | medium | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2016-8746 | medium | — | org.apache.ranger:ranger-plugins-common | — | 4.1.1 |
| CVE-2017-12610 | medium | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2017-12625 | medium | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2017-3161 | medium | — | org.apache.hadoop:hadoop-client | — | 4.1.1 |
| CVE-2017-3586 | medium | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2018-10237 | medium | — | com.google.guava:guava | 15.0 | 4.1.1 |
| CVE-2018-11798 | medium | — | org.apache.thrift:libthrift | — | 4.1.1 |
| CVE-2019-0201 | medium | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2019-10782 | medium | — | com.puppycrawl.tools:checkstyle | 8.14 | 4.1.1 |
| CVE-2019-12384 | medium | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-12814 | medium | — | com.fasterxml.jackson.core:jackson-databind | — | 4.1.1 |
| CVE-2019-20445 | medium | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2019-2692 | medium | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2019-9658 | medium | — | com.puppycrawl.tools:checkstyle | 8.14 | 4.1.1 |
| CVE-2020-13956 | medium | — | org.apache.httpcomponents:httpclient | — | 4.1.1 |
| CVE-2020-14340 | medium | — | org.jboss.xnio:xnio-nio | — | 4.1.1 |
| CVE-2020-15250 | medium | — | junit:junit | 4.12 | 4.1.1 |
| CVE-2020-27534 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2020-28168 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2020-7760 | medium | — | codemirror | 5.54.0 | 4.1.1 |
| CVE-2021-2471 | medium | — | mysql:mysql-connector-java | 8.0.12 | 4.1.1 |
| CVE-2021-28170 | medium | — | org.glassfish:javax.el | — | 4.1.1 |
| CVE-2021-28363 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2021-29425 | medium | — | commons-io:commons-io | 2.4 | 4.1.1 |
| CVE-2021-38153 | medium | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2021-41091 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2021-44832 | medium | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2022-21363 | medium | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2022-23471 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-24769 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2022-29526 | medium | — | golang.org/x/sys | 0.0.0-20211102192858-4dd72447c267 | 4.1.1 |
| CVE-2022-30187 | medium | — | com.azure:azure-storage-blob | — | 4.1.1 |
| CVE-2022-31030 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-3171 | medium | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2022-31777 | medium | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2022-36109 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2022-40152 | medium | — | com.fasterxml.woodstox:woodstox-core | — | 4.1.1 |
| CVE-2022-41717 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-25153 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2023-25173 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2023-2976 | medium | — | com.google.guava:guava | 15.0 | 4.1.1 |
| CVE-2023-32681 | medium | — | requests | 2.28.2 | 4.1.1 |
| CVE-2023-32732 | medium | — | io.grpc:grpc-protobuf | — | 4.1.1 |
| CVE-2023-33201 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2023-33202 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2023-34453 | medium | — | org.xerial.snappy:snappy-java | — | 4.1.1 |
| CVE-2023-34454 | medium | — | org.xerial.snappy:snappy-java | — | 4.1.1 |
| CVE-2023-34462 | medium | — | io.netty:netty-handler | — | 4.1.1 |
| CVE-2023-3978 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-44487 | medium | KEV | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | — |
| CVE-2023-45288 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-45803 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2023-45857 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2023-48795 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2023-49922 | medium | — | github.com/elastic/beats/v7 | 7.17.5 | 4.1.1 |
| CVE-2024-21503 | medium | — | black | — | 4.1.1 |
| CVE-2024-21510 | medium | — | sinatra | 1.4 | 4.1.1 |
| CVE-2024-23944 | medium | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2024-24557 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-24786 | medium | — | google.golang.org/protobuf | 1.27.1 | 4.1.1 |
| CVE-2024-29018 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-29131 | medium | — | org.apache.commons:commons-configuration2 | — | 4.1.1 |
| CVE-2024-29133 | medium | — | org.apache.commons:commons-configuration2 | — | 4.1.1 |
| CVE-2024-29857 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-29869 | medium | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2024-30171 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-31141 | medium | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2024-34447 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-35195 | medium | — | requests | 2.31.0 | 4.1.1 |
| CVE-2024-35255 | medium | — | com.azure:azure-identity | — | 4.1.1 |
| CVE-2024-3651 | medium | — | idna | 3.4 | 4.1.1 |
| CVE-2024-37891 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2024-38829 | medium | — | org.springframework.ldap:spring-ldap-core | — | 4.1.1 |
| CVE-2024-40635 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2024-47081 | medium | — | requests | 2.31.0 | 4.1.1 |
| CVE-2024-47535 | medium | — | io.netty:netty-common | 4.1.77 | 4.1.1 |
| CVE-2025-10543 | medium | — | github.com/eclipse/paho.mqtt.golang | 1.2.1-0.20200121105743-0d940dd29fd2 | 4.1.1 |
| CVE-2025-22870 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-22872 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-25193 | medium | — | io.netty:netty-common | 4.1.77 | 4.1.1 |
| CVE-2025-27817 | medium | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2025-30359 | medium | — | webpack-dev-server | 3.7.1 | 4.1.1 |
| CVE-2025-30360 | medium | — | webpack-dev-server | 3.7.1 | 4.1.1 |
| CVE-2025-47914 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-48924 | medium | — | org.apache.commons:commons-lang3 | — | 4.1.1 |
| CVE-2025-48924 | medium | — | commons-lang:commons-lang | — | 4.1.1 |
| CVE-2025-49128 | medium | — | com.fasterxml.jackson.core:jackson-core | — | 4.1.1 |
| CVE-2025-50181 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2025-53864 | medium | — | com.nimbusds:nimbus-jose-jwt | 10.0.1 | 4.1.1 |
| CVE-2025-58181 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-58457 | medium | — | org.apache.zookeeper:zookeeper | — | 4.1.1 |
| CVE-2025-62718 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2025-64329 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2025-68146 | medium | — | filelock | — | 4.1.1 |
| CVE-2025-68161 | medium | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2025-68383 | medium | — | github.com/elastic/beats/v7 | 7.17.5 | 4.1.1 |
| CVE-2025-71176 | medium | — | pytest | — | 4.1.1 |
| CVE-2026-22701 | medium | — | filelock | — | 4.1.1 |
| CVE-2026-25645 | medium | — | requests | 2.31.0 | 4.1.1 |
| CVE-2026-33558 | medium | — | org.apache.kafka:kafka-clients | — | 4.1.1 |
| CVE-2026-33997 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2026-34477 | medium | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2026-34478 | medium | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2026-34479 | medium | — | org.apache.logging.log4j:log4j-1.2-api | — | 4.1.1 |
| CVE-2026-34480 | medium | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2026-40175 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42034 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42036 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42038 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42039 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42041 | medium | — | axios | 0.19.2 | 4.1.1 |
| CVE-2026-42042 | medium | — | axios | 0.19.2 | 4.1.1 |
| GHSA-72hv-8253-57qq | medium | — | com.fasterxml.jackson.core:jackson-core | — | 4.1.1 |
| GHSA-7ww5-4wqc-m92c | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-jq35-85cj-fj4p | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-xmmx-7jpf-fx42 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2013-0248 | low | — | commons-fileupload:commons-fileupload | — | 4.1.1 |
| CVE-2013-2192 | low | — | org.apache.hadoop:hadoop-common | — | 4.1.1 |
| CVE-2014-0228 | low | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2017-3589 | low | — | mysql:mysql-connector-java | 5.1.26 | 4.1.1 |
| CVE-2017-3590 | low | — | mysql-connector-python | 8.0.0,< 8.3 | 4.1.1 |
| CVE-2018-1284 | low | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2018-1315 | low | — | org.apache.hive:hive-exec | — | 4.1.1 |
| CVE-2020-8908 | low | — | com.google.guava:guava | 15.0 | 4.1.1 |
| CVE-2020-9488 | low | — | org.apache.logging.log4j:log4j-core | — | 4.1.1 |
| CVE-2021-41089 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-23454 | low | — | org.apache.hadoop:hadoop-common | 3.3.6 | 4.1.1 |
| CVE-2024-39689 | low | — | certifi | 2023.7.22 | 4.1.1 |
| CVE-2025-46392 | low | — | commons-configuration:commons-configuration | 1.6 | 4.1.1 |
| CVE-2025-54410 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2025-61921 | low | — | sinatra | 1.4 | 4.1.1 |
| CVE-2026-42040 | low | — | axios | 0.19.2 | 4.1.1 |
| GHSA-5j5w-g665-5m35 | low | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-77vh-xpmg-72qh | low | — | github.com/opencontainers/image-spec | 1.0.2-0.20190823105129-775207bd45b6 | 4.1.1 |
| GHSA-965h-392x-2mh5 | low | — | rustls-webpki | 0.103.10 | 4.1.1 |
| GHSA-c9cp-9c75-9v8c | low | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-cq8v-f236-94qc | low | — | rand | 0.9.2 | 4.1.1 |
| GHSA-rhfx-m35p-ff5j | low | — | lru | 0.12.5 | 4.1.1 |
| GHSA-vp35-85q5-9f25 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-xgp8-3hg3-c2mh | low | — | rustls-webpki | 0.103.10 | 4.1.1 |
| CVE-2019-14271 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2021-44716 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2022-30636 | unknown | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2024-45338 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-47911 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-47913 | unknown | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-58190 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2026-33814 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| GO-2022-0360 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2022-1107 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GO-2023-2153 | unknown | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| GO-2023-2412 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2024-2846 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2024-2914 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| RUSTSEC-2024-0384 | unknown | — | instant | 0.1.13 | 4.1.1 |
| RUSTSEC-2024-0436 | unknown | — | paste | 1.0.15 | 4.1.1 |
| RUSTSEC-2025-0134 | unknown | — | rustls-pemfile | 2.2.0 | 4.1.1 |
| RUSTSEC-2026-0002 | unknown | — | lru | 0.12.5 | 4.1.1 |
| RUSTSEC-2026-0097 | unknown | — | rand | 0.9.2 | 4.1.1 |
| RUSTSEC-2026-0098 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
| RUSTSEC-2026-0099 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
| RUSTSEC-2026-0104 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
Showing 375 of 375