VYPR

apk package

chainguard/kibana-8.17-bitnami

pkg:apk/chainguard/kibana-8.17-bitnami

Vulnerabilities (101)

  • CVE-2026-33036Mar 20, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expa

  • CVE-2026-2229Mar 12, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-d

  • CVE-2026-1528Mar 12, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version

  • CVE-2026-1527Mar 12, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Mem

  • CVE-2026-1526Mar 12, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without en

  • CVE-2026-1525Mar 12, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: *

  • CVE-2026-31988MedMar 11, 2026
    affected < 8.17.10-r12fixed 8.17.10-r12

    yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allo

  • CVE-2026-31802Mar 9, 2026
    affected < 8.17.10-r13fixed 8.17.10-r13

    node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd dur

  • CVE-2026-27904Feb 26, 2026
    affected < 8.17.10-r12fixed 8.17.10-r12

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), wh

  • CVE-2026-27903Feb 26, 2026
    affected < 8.17.10-r12fixed 8.17.10-r12

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-a

  • CVE-2026-26996Feb 20, 2026
    affected < 8.17.10-r12fixed 8.17.10-r12

    minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal charact

  • CVE-2026-23745Jan 16, 2026
    affected < 8.17.10-r8fixed 8.17.10-r8

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t

  • CVE-2026-0532HigJan 14, 2026
    affected < 8.17.10-r11fixed 8.17.10-r11

    External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker

  • CVE-2026-0543Jan 13, 2026
    affected < 8.17.10-r11fixed 8.17.10-r11

    Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to e

  • CVE-2026-0531Jan 13, 2026
    affected < 8.17.10-r11fixed 8.17.10-r11

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read acce

  • CVE-2026-0530Jan 13, 2026
    affected < 8.17.10-r11fixed 8.17.10-r11

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until ser

  • CVE-2025-68665Dec 23, 2025
    affected < 8.17.10-r6fixed 8.17.10-r6

    LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify

  • CVE-2025-68422Dec 18, 2025
    affected < 8.17.10-r11fixed 8.17.10-r11

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re

  • CVE-2025-68386Dec 18, 2025
    affected < 8.17.10-r11fixed 8.17.10-r11

    Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a

  • CVE-2025-68389Dec 18, 2025
    affected < 8.17.10-r11fixed 8.17.10-r11

    Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.

Page 4 of 6