apk package
chainguard/elasticsearch-8-bitnami
pkg:apk/chainguard/elasticsearch-8-bitnami
Vulnerabilities (28)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-52428 | — | < 8.13.2-r1 | 8.13.2-r1 | Feb 11, 2024 | In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. | ||
| CVE-2023-34054 | — | < 8.12.1-r0 | 8.12.1-r0 | Nov 28, 2023 | In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty | ||
| CVE-2023-34062 | — | < 8.12.1-r0 | 8.12.1-r0 | Nov 15, 2023 | In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Serv | ||
| CVE-2023-44483 | — | < 8.12.1-r0 | 8.12.1-r0 | Oct 20, 2023 | All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are | ||
| CVE-2023-33201 | — | < 8.12.1-r0 | 8.12.1-r0 | Jul 5, 2023 | Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif | ||
| CVE-2023-1370 | — | < 8.13.2-r1 | 8.13.2-r1 | Mar 13, 2023 | [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o | ||
| CVE-2022-45146 | — | < 8.12.1-r0 | 8.12.1-r0 | Nov 21, 2022 | An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in us | ||
| CVE-2020-15522 | — | < 8.12.1-r0 | 8.12.1-r0 | May 20, 2021 | Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the ge |
- CVE-2023-52428Feb 11, 2024affected < 8.13.2-r1fixed 8.13.2-r1
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
- CVE-2023-34054Nov 28, 2023affected < 8.12.1-r0fixed 8.12.1-r0
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable if Reactor Netty
- CVE-2023-34062Nov 15, 2023affected < 8.12.1-r0fixed 8.12.1-r0
In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack. Specifically, an application is vulnerable if Reactor Netty HTTP Serv
- CVE-2023-44483Oct 20, 2023affected < 8.12.1-r0fixed 8.12.1-r0
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are
- CVE-2023-33201Jul 5, 2023affected < 8.12.1-r0fixed 8.12.1-r0
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certif
- CVE-2023-1370Mar 13, 2023affected < 8.13.2-r1fixed 8.13.2-r1
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting o
- CVE-2022-45146Nov 21, 2022affected < 8.12.1-r0fixed 8.12.1-r0
An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA before 1.0.2.4. Changes to the JVM garbage collector in Java 13 and later trigger an issue in the BC-FJA FIPS modules where it is possible for temporary keys used by the module to be zeroed out while still in us
- CVE-2020-15522May 20, 2021affected < 8.12.1-r0fixed 8.12.1-r0
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the ge
Page 2 of 2