apk package
chainguard/kibana-8.17-bitnami
pkg:apk/chainguard/kibana-8.17-bitnami
Vulnerabilities (101)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68387 | — | < 8.17.10-r11 | 8.17.10-r11 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han | ||
| CVE-2025-68385 | — | < 8.17.10-r11 | 8.17.10-r11 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre | ||
| CVE-2025-14874 | — | < 8.17.10-r4 | 8.17.10-r4 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-37732 | — | < 8.17.10-r11 | 8.17.10-r11 | Dec 15, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing | ||
| CVE-2025-65945 | — | < 8.17.10-r5 | 8.17.10-r5 | Dec 4, 2025 | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us | ||
| CVE-2025-66030 | — | < 8.17.10-r4 | 8.17.10-r4 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. | ||
| CVE-2025-66031 | — | < 8.17.10-r4 | 8.17.10-r4 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re | ||
| CVE-2025-12816 | — | < 8.17.10-r4 | 8.17.10-r4 | Nov 25, 2025 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s | ||
| CVE-2025-64756 | — | < 0 | 0 | Nov 17, 2025 | Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. | ||
| CVE-2025-13033 | Hig | 7.5 | < 8.17.10-r2 | 8.17.10-r2 | Nov 14, 2025 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m | |
| CVE-2025-64718 | — | < 8.17.10-r3 | 8.17.10-r3 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T | ||
| CVE-2025-37734 | — | < 8.17.10-r11 | 8.17.10-r11 | Nov 12, 2025 | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | ||
| CVE-2025-25017 | — | < 8.17.10-r11 | 8.17.10-r11 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||
| CVE-2025-25018 | — | < 8.17.10-r11 | 8.17.10-r11 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | ||
| CVE-2025-37728 | Med | 5.4 | < 8.17.10-r11 | 8.17.10-r11 | Oct 7, 2025 | Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the | |
| CVE-2025-25009 | — | < 8.17.10-r11 | 8.17.10-r11 | Oct 7, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||
| CVE-2025-11362 | — | < 8.17.10-r1 | 8.17.10-r1 | Oct 7, 2025 | Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger | ||
| CVE-2025-57319 | Hig | 7.5 | < 0 | 0 | Sep 24, 2025 | fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia | |
| CVE-2025-59343 | Hig | — | < 8.17.10-r1 | 8.17.10-r1 | Sep 24, 2025 | tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka | |
| CVE-2025-58754 | — | < 8.17.10-r10 | 8.17.10-r10 | Sep 12, 2025 | Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire |
- CVE-2025-68387Dec 18, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han
- CVE-2025-68385Dec 18, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre
- CVE-2025-14874Dec 18, 2025affected < 8.17.10-r4fixed 8.17.10-r4
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- CVE-2025-37732Dec 15, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing
- CVE-2025-65945Dec 4, 2025affected < 8.17.10-r5fixed 8.17.10-r5
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us
- CVE-2025-66030Nov 26, 2025affected < 8.17.10-r4fixed 8.17.10-r4
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
- CVE-2025-66031Nov 26, 2025affected < 8.17.10-r4fixed 8.17.10-r4
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
- CVE-2025-12816Nov 25, 2025affected < 8.17.10-r4fixed 8.17.10-r4
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
- CVE-2025-64756Nov 17, 2025affected < 0fixed 0
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.
- affected < 8.17.10-r2fixed 8.17.10-r2
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
- CVE-2025-64718Nov 13, 2025affected < 8.17.10-r3fixed 8.17.10-r3
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
- CVE-2025-37734Nov 12, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
- CVE-2025-25017Oct 10, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
- CVE-2025-25018Oct 10, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
- affected < 8.17.10-r11fixed 8.17.10-r11
Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the
- CVE-2025-25009Oct 7, 2025affected < 8.17.10-r11fixed 8.17.10-r11
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
- CVE-2025-11362Oct 7, 2025affected < 8.17.10-r1fixed 8.17.10-r1
Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger
- affected < 0fixed 0
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia
- affected < 8.17.10-r1fixed 8.17.10-r1
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka
- CVE-2025-58754Sep 12, 2025affected < 8.17.10-r10fixed 8.17.10-r10
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire
Page 5 of 6