apk package

chainguard/elasticsearch-8-bitnami

pkg:apk/chainguard/elasticsearch-8-bitnami

Vulnerabilities (28)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2025-54988		—	< 8.19.2-r1	8.19.2-r1	Aug 20, 2025	Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma
CVE-2025-22227	Med	6.1	< 8.18.3-r2	8.18.3-r2	Jul 16, 2025	In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
CVE-2025-48924		—	< 8.19.2-r3	8.19.2-r3	Jul 11, 2025	Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
CVE-2025-31672		—	< 8.18.0-r1	8.18.0-r1	Apr 9, 2025	Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in t
CVE-2025-25193		—	< 0	0	Feb 10, 2025	Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2024-12539		—	< 8.17.0-r0	8.17.0-r0	Dec 17, 2024	An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.
CVE-2024-47535		—	< 0	0	Nov 12, 2024	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-7254		—	< 8.15.3-r0	8.15.3-r0	Sep 19, 2024	Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
CVE-2024-37280		—	< 8.14.1-r0	8.14.1-r0	Jun 13, 2024	A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lea
CVE-2024-23445		—	< 8.14.1-r0	8.14.1-r0	Jun 12, 2024	It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_s
CVE-2024-30172	Hig	7.5	< 8.13.4-r1	8.13.4-r1	May 14, 2024	An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
CVE-2024-30171	Med	5.9	< 8.13.4-r1	8.13.4-r1	May 14, 2024	An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
CVE-2024-29857	Hig	7.5	< 8.13.4-r1	8.13.4-r1	May 14, 2024	An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during
CVE-2024-34447	Hig	7.5	< 8.13.4-r1	8.13.4-r1	May 3, 2024	An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici
CVE-2024-23451		—	< 8.13.1-r0	8.13.1-r0	Mar 27, 2024	Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Clu
CVE-2024-23450		—	< 8.13.1-r0	8.13.1-r0	Mar 27, 2024	A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
CVE-2024-29025		—	< 8.13.2-r1	8.13.2-r1	Mar 25, 2024	Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
CVE-2024-21742		—	< 8.13.2-r1	8.13.2-r1	Feb 27, 2024	Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.
CVE-2024-25710		—	< 8.13.2-r1	8.13.2-r1	Feb 19, 2024	Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE-2024-26308		—	< 8.13.2-r1	8.13.2-r1	Feb 19, 2024	Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

CVE-2025-54988Aug 20, 2025
affected < 8.19.2-r1fixed 8.19.2-r1
Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger ma
CVE-2025-22227MedJul 16, 2025
affected < 8.18.3-r2fixed 8.18.3-r2
In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.
CVE-2025-48924Jul 11, 2025
affected < 8.19.2-r3fixed 8.19.2-r3
Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowErr
CVE-2025-31672Apr 9, 2025
affected < 8.18.0-r1fixed 8.18.0-r1
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in t
CVE-2025-25193Feb 10, 2025
affected < 0fixed 0
Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts
CVE-2024-12539Dec 17, 2024
affected < 8.17.0-r0fixed 8.17.0-r0
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.
CVE-2024-47535Nov 12, 2024
affected < 0fixed 0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application
CVE-2024-7254Sep 19, 2024
affected < 8.15.3-r0fixed 8.15.3-r0
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf
CVE-2024-37280Jun 13, 2024
affected < 8.14.1-r0fixed 8.14.1-r0
A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lea
CVE-2024-23445Jun 12, 2024
affected < 8.14.1-r0fixed 8.14.1-r0
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_s
CVE-2024-30172HigMay 14, 2024
affected < 8.13.4-r1fixed 8.13.4-r1
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
CVE-2024-30171MedMay 14, 2024
affected < 8.13.4-r1fixed 8.13.4-r1
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
CVE-2024-29857HigMay 14, 2024
affected < 8.13.4-r1fixed 8.13.4-r1
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during
CVE-2024-34447HigMay 3, 2024
affected < 8.13.4-r1fixed 8.13.4-r1
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici
CVE-2024-23451Mar 27, 2024
affected < 8.13.1-r0fixed 8.13.1-r0
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Clu
CVE-2024-23450Mar 27, 2024
affected < 8.13.1-r0fixed 8.13.1-r0
A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash.
CVE-2024-29025Mar 25, 2024
affected < 8.13.2-r1fixed 8.13.2-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, t
CVE-2024-21742Feb 27, 2024
affected < 8.13.2-r1fixed 8.13.2-r1
Improper input validation allows for header injection in MIME4J library when using MIME4J DOM for composing message. This can be exploited by an attacker to add unintended headers to MIME messages.
CVE-2024-25710Feb 19, 2024
affected < 8.13.2-r1fixed 8.13.2-r1
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE-2024-26308Feb 19, 2024
affected < 8.13.2-r1fixed 8.13.2-r1
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

Page 1 of 2