VYPR

apk package

chainguard/elasticsearch-fips-8.17

pkg:apk/chainguard/elasticsearch-fips-8.17

Vulnerabilities (10)

  • CVE-2026-33871Mar 27, 2026
    affected < 8.17.10-r14fixed 8.17.10-r14

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 8.17.10-r14fixed 8.17.10-r14

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2025-68390Dec 18, 2025
    affected < 8.17.10-r14fixed 8.17.10-r14

    Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

  • CVE-2025-68384Dec 18, 2025
    affected < 8.17.10-r14fixed 8.17.10-r14

    Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

  • CVE-2025-67735Dec 16, 2025
    affected < 8.17.10-r3fixed 8.17.10-r3

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-37731Dec 15, 2025
    affected < 8.17.10-r14fixed 8.17.10-r14

    Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

  • CVE-2025-12183HigNov 28, 2025
    affected < 8.17.10-r16fixed 8.17.10-r16

    Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.

  • CVE-2025-37727Oct 10, 2025
    affected < 8.17.10-r14fixed 8.17.10-r14

    Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex

  • CVE-2025-8916MedAug 13, 2025
    affected < 8.17.10-r1fixed 8.17.10-r1

    Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. BC Java bcpkix on All (API modules), Legion of the Bouncy Castle Inc. BC Java bcprov on All (API modules), Legion of the Bouncy Castle Inc. BCPKIX FIPS bcpkix-fips on All (API m

  • CVE-2025-7962Jul 21, 2025
    affected < 8.17.10-r16fixed 8.17.10-r16

    In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.