VYPR

apk package

chainguard/kibana-7

pkg:apk/chainguard/kibana-7

Vulnerabilities (30)

  • CVE-2025-27152Mar 7, 2025
    affected < 7.17.29-r5fixed 7.17.29-r5

    axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leaka

  • CVE-2024-21538HigNov 8, 2024
    affected < 7.17.25-r1fixed 7.17.25-r1

    Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted

  • CVE-2024-47764MedOct 4, 2024
    affected < 7.17.25-r1fixed 7.17.25-r1

    cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the coo

  • CVE-2024-39338Aug 9, 2024
    affected < 7.17.24-r0fixed 7.17.24-r0

    axios 1.7.2 allows SSRF via unexpected behavior where requests for path relative URLs get processed as protocol relative URLs.

  • CVE-2024-37890HigJun 17, 2024
    affected < 7.17.24-r0fixed 7.17.24-r0

    ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (e

  • CVE-2024-29415HigMay 27, 2024
    affected < 7.17.28-r0fixed 7.17.28-r0

    The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for

  • CVE-2024-4068May 13, 2024
    affected < 7.17.23-r0fixed 7.17.23-r0

    The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program

  • CVE-2024-4067May 13, 2024
    affected < 7.17.25-r0fixed 7.17.25-r0

    The NPM package `micromatch` prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching w

  • CVE-2024-28849Mar 14, 2024
    affected < 7.17.24-r0fixed 7.17.24-r0

    follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. In affected versions follow-redirects only clears authorization header during cross-domain redirect, but keep the proxy-authentication header which

  • CVE-2023-26159HigJan 2, 2024
    affected < 7.17.24-r0fixed 7.17.24-r0

    Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this

Page 2 of 2