apk package
chainguard/elasticsearch-fips-8.19
pkg:apk/chainguard/elasticsearch-fips-8.19
Vulnerabilities (29)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34478 | Hig | 7.5 | < 8.19.14-r1 | 8.19.14-r1 | Apr 10, 2026 | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc | |
| CVE-2026-34477 | Med | 5.9 | < 8.19.14-r1 | 8.19.14-r1 | Apr 10, 2026 | The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName | |
| CVE-2026-33871 | — | < 8.19.13-r2 | 8.19.13-r2 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o | ||
| CVE-2026-33870 | — | < 8.19.13-r2 | 8.19.13-r2 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an | ||
| CVE-2025-68161 | — | < 8.19.13-r4 | 8.19.13-r4 | Dec 18, 2025 | The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co | ||
| CVE-2025-67735 | — | < 8.19.8-r2 | 8.19.8-r2 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2025-58057 | — | < 8.19.3-r0 | 8.19.3-r0 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-58056 | — | < 8.19.3-r0 | 8.19.3-r0 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch | ||
| CVE-2025-7962 | — | < 8.19.13-r4 | 8.19.13-r4 | Jul 21, 2025 | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. |
- affected < 8.19.14-r1fixed 8.19.14-r1
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinc
- affected < 8.19.14-r1fixed 8.19.14-r1
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
- CVE-2026-33871Mar 27, 2026affected < 8.19.13-r2fixed 8.19.13-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
- CVE-2026-33870Mar 27, 2026affected < 8.19.13-r2fixed 8.19.13-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
- CVE-2025-68161Dec 18, 2025affected < 8.19.13-r4fixed 8.19.13-r4
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co
- CVE-2025-67735Dec 16, 2025affected < 8.19.8-r2fixed 8.19.8-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- CVE-2025-58057Sep 3, 2025affected < 8.19.3-r0fixed 8.19.3-r0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-58056Sep 3, 2025affected < 8.19.3-r0fixed 8.19.3-r0
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch
- CVE-2025-7962Jul 21, 2025affected < 8.19.13-r4fixed 8.19.13-r4
In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages.
Page 2 of 2