VYPR

apk package

chainguard/elasticsearch-7

pkg:apk/chainguard/elasticsearch-7

Vulnerabilities (36)

  • CVE-2024-29857HigMay 14, 2024
    affected < 7.17.22-r0fixed 7.17.22-r0

    An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during

  • CVE-2024-34447HigMay 3, 2024
    affected < 7.17.22-r0fixed 7.17.22-r0

    An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici

  • CVE-2024-29025Mar 25, 2024
    affected < 7.17.20-r0fixed 7.17.20-r0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t

  • CVE-2023-52428Feb 11, 2024
    affected < 7.17.20-r0fixed 7.17.20-r0

    In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

  • CVE-2023-44483Oct 20, 2023
    affected < 7.17.14-r3fixed 7.17.14-r3

    All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are

  • CVE-2023-4586Oct 4, 2023
    affected < 7.17.14-r2fixed 7.17.14-r2

    A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

  • CVE-2023-33201Jul 5, 2023
    affected < 7.17.14-r2fixed 7.17.14-r2

    Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif

  • CVE-2023-2976Jun 14, 2023
    affected < 7.17.14-r2fixed 7.17.14-r2

    Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to

  • CVE-2023-1370Mar 13, 2023
    affected < 7.17.14-r2fixed 7.17.14-r2

    [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o

  • CVE-2022-1471Dec 1, 2022
    affected < 0fixed 0

    SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restric

  • CVE-2022-45146Nov 21, 2022
    affected < 7.17.15-r0fixed 7.17.15-r0

    An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in us

  • CVE-2021-40690Sep 19, 2021
    affected < 7.17.14-r2fixed 7.17.14-r2

    All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform

  • CVE-2020-15522May 20, 2021
    affected < 7.17.14-r2fixed 7.17.14-r2

    Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the ge

  • CVE-2020-8908Dec 10, 2020
    affected < 7.17.14-r2fixed 7.17.14-r2

    A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the

  • CVE-2020-13956Dec 2, 2020
    affected < 7.17.14-r2fixed 7.17.14-r2

    Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

  • CVE-2018-10237MedApr 26, 2018
    affected < 7.17.14-r2fixed 7.17.14-r2

    Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with J

Page 2 of 2