MidnightBSD

Advisories for akka

CVE-2017-1000034 HIGH

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-502,

Products Affected

Vendor Product Version
akka akka *
akka akka 2.5
CVE-2017-1000118 MEDIUM

Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header Causes StackOverflowError Leading to Denial of Service

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
akka http_server *
CVE-2021-42697 MEDIUM

Akka HTTP 10.1.x before 10.1.15 and 10.2.x before 10.2.7 can encounter stack exhaustion while parsing HTTP headers, which allows a remote attacker to conduct a Denial of Service attack by sending a User-Agent header with deeply nested comments.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-674,

Products Affected

Vendor Product Version
akka http_server *
CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
microsoft windows_10_1607 *
redhat service_interconnect 1.0
redhat process_automation 7.0
redhat jboss_fuse 6.0.0
redhat integration_service_registry -
cisco crosswork_data_gateway *
redhat migration_toolkit_for_applications 6.0
redhat jboss_enterprise_application_platform 7.0.0
redhat advanced_cluster_security 4.0
redhat openshift_virtualization 4
microsoft .net *
f5 big-ip_access_policy_manager 17.1.0
cisco secure_malware_analytics *
f5 nginx_plus r29
cisco ultra_cloud_core_-_serving_gateway_function *
kazu-yamamoto http2 *
redhat build_of_optaplanner 8.0
redhat satellite 6.0
redhat decision_manager 7.0
redhat openshift_pipelines -
f5 big-ip_webaccelerator *
redhat openshift_container_platform 4.0
f5 big-ip_advanced_web_application_firewall *
golang http2 *
redhat openshift -
fedoraproject fedora 37
linkerd linkerd 2.14.0
redhat jboss_fuse 7.0.0
redhat openshift_container_platform_assisted_installer -
debian debian_linux 10.0
f5 big-ip_application_visibility_and_reporting *
cisco ultra_cloud_core_-_policy_control_function *
envoyproxy envoy 1.26.4
cisco ios_xe *
redhat cryostat 2.0
f5 big-ip_global_traffic_manager 17.1.0
f5 big-ip_local_traffic_manager 17.1.0
cisco prime_access_registrar *
redhat network_observability_operator -
apache solr *
cisco connected_mobile_experiences *
apache tomcat 11.0.0
golang networking *
f5 big-ip_link_controller 17.1.0
grpc grpc 1.57.0
f5 big-ip_link_controller *
f5 big-ip_websafe *
cisco unified_contact_center_domain_manager -
cisco data_center_network_manager -
f5 big-ip_application_acceleration_manager 17.1.0
redhat migration_toolkit_for_containers -
redhat ceph_storage 5.0
akka http_server *
redhat jboss_data_grid 7.0.0
redhat enterprise_linux 9.0
envoyproxy envoy 1.25.9
f5 big-ip_ssl_orchestrator 17.1.0
microsoft windows_11_22h2 *
microsoft windows_11_21h2 *
redhat web_terminal -
cisco secure_web_appliance_firmware *
linecorp armeria *
golang go *
apple swiftnio_http/2 *
linkerd linkerd 2.14.1
redhat jboss_enterprise_application_platform 6.0.0
redhat cert-manager_operator_for_red_hat_openshift -
f5 big-ip_global_traffic_manager *
jenkins jenkins *
cisco business_process_automation *
netty netty *
f5 big-ip_analytics 17.1.0
linkerd linkerd 2.13.1
microsoft asp.net_core *
amazon opensearch_data_prepper *
grpc grpc *
envoyproxy envoy 1.27.0
netapp astra_control_center -
f5 nginx *
f5 big-ip_carrier-grade_nat *
redhat service_telemetry_framework 1.5
traefik traefik 3.0.0
f5 big-ip_next_service_proxy_for_kubernetes *
redhat node_healthcheck_operator -
cisco crosswork_data_gateway 5.0
redhat openshift_sandboxed_containers -
redhat jboss_a-mq 7
redhat openshift_distributed_tracing -
redhat openstack_platform 16.1
cisco crosswork_situation_manager -
redhat logging_subsystem_for_red_hat_openshift -
f5 big-ip_application_acceleration_manager *
redhat openshift_serverless -
nodejs node.js *
cisco prime_network_registrar *
istio istio *
redhat migration_toolkit_for_virtualization -
redhat openshift_service_mesh 2.0
apache apisix *
linkerd linkerd *
redhat advanced_cluster_management_for_kubernetes 2.0
cisco secure_dynamic_attributes_connector *
cisco enterprise_chat_and_email -
f5 big-ip_application_security_manager 17.1.0
f5 big-ip_advanced_firewall_manager *
f5 big-ip_domain_name_system 17.1.0
cisco unified_contact_center_enterprise_-_live_data_server *
redhat support_for_spring_boot -
f5 big-ip_ddos_hybrid_defender *
eclipse jetty *
f5 big-ip_next 20.0.1
redhat build_of_quarkus -
f5 big-ip_fraud_protection_service *
facebook proxygen *
redhat fence_agents_remediation_operator -
redhat advanced_cluster_security 3.0
redhat openshift_developer_tools_and_services -
redhat ansible_automation_platform 2.0
f5 big-ip_analytics *
redhat cost_management -
redhat openshift_secondary_scheduler_operator -
f5 big-ip_application_security_manager *
f5 big-ip_application_visibility_and_reporting 17.1.0
f5 nginx_ingress_controller *
cisco ultra_cloud_core_-_session_management_function *
debian debian_linux 12.0
redhat quay 3.0.0
f5 big-ip_local_traffic_manager *
microsoft windows_server_2022 -
cisco expressway *
cisco fog_director *
redhat openshift_dev_spaces -
cisco iot_field_network_director *
traefik traefik *
redhat machine_deletion_remediation_operator -
microsoft windows_10_1809 *
redhat openshift_data_science -
f5 big-ip_domain_name_system *
nghttp2 nghttp2 *
f5 big-ip_ddos_hybrid_defender 17.1.0
dena h2o *
f5 big-ip_policy_enforcement_manager 17.1.0
cisco unified_contact_center_enterprise -
microsoft visual_studio_2022 *
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat integration_camel_for_spring_boot -
redhat integration_camel_k -
ietf http 2.0
konghq kong_gateway *
microsoft cbl-mariner *
cisco telepresence_video_communication_server *
varnish_cache_project varnish_cache *
redhat 3scale_api_management_platform 2.0
cisco unified_attendant_console_advanced -
linkerd linkerd 2.13.0
cisco ios_xr *
microsoft windows_server_2016 -
microsoft windows_10_21h2 *
cisco prime_infrastructure *
microsoft windows_10_22h2 *
microsoft azure_kubernetes_service *
netapp oncommand_insight -
apache tomcat *
f5 nginx_plus *
redhat enterprise_linux 6.0
f5 nginx_plus r30
cisco prime_cable_provisioning *
f5 big-ip_websafe 17.1.0
redhat enterprise_linux 8.0
f5 big-ip_carrier-grade_nat 17.1.0
redhat single_sign-on 7.0
microsoft windows_server_2019 -
f5 big-ip_ssl_orchestrator *
projectcontour contour *
redhat openshift_gitops -
redhat node_maintenance_operator -
apache traffic_server *
cisco unified_contact_center_management_portal -
redhat openstack_platform 16.2
cisco crosswork_zero_touch_provisioning *
f5 big-ip_advanced_firewall_manager 17.1.0
redhat openshift_api_for_data_protection -
cisco nx-os *
debian debian_linux 11.0
cisco firepower_threat_defense *
redhat run_once_duration_override_operator -
redhat certification_for_red_hat_enterprise_linux 9.0
redhat jboss_core_services -
openresty openresty *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
fedoraproject fedora 38
f5 big-ip_webaccelerator 17.1.0
redhat openstack_platform 17.1
f5 big-ip_fraud_protection_service 17.1.0
f5 big-ip_access_policy_manager *
f5 big-ip_policy_enforcement_manager *
caddyserver caddy *
redhat self_node_remediation_operator -
envoyproxy envoy 1.24.10
redhat certification_for_red_hat_enterprise_linux 8.0
redhat jboss_a-mq_streams -
CVE-2025-46548

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
apache pekko_management *
akka akka_management *