apk package
chainguard/kibana-8.18-bitnami
pkg:apk/chainguard/kibana-8.18-bitnami
Vulnerabilities (51)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-37734 | — | < 8.18.8-r10 | 8.18.8-r10 | Nov 12, 2025 | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | ||
| CVE-2025-25017 | — | < 8.18.8-r10 | 8.18.8-r10 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS) | ||
| CVE-2025-25018 | — | < 8.18.8-r10 | 8.18.8-r10 | Oct 10, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS) | ||
| CVE-2025-37728 | Med | 5.4 | < 8.18.8-r10 | 8.18.8-r10 | Oct 7, 2025 | Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the | |
| CVE-2025-25009 | — | < 8.18.8-r10 | 8.18.8-r10 | Oct 7, 2025 | Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload. | ||
| CVE-2025-11362 | — | < 8.18.8-r0 | 8.18.8-r0 | Oct 7, 2025 | Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger | ||
| CVE-2025-57319 | Hig | 7.5 | < 0 | 0 | Sep 24, 2025 | fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia | |
| CVE-2025-59343 | Hig | — | < 8.18.7-r1 | 8.18.7-r1 | Sep 24, 2025 | tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka | |
| CVE-2025-58754 | — | < 8.18.8-r1 | 8.18.8-r1 | Sep 12, 2025 | Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire | ||
| CVE-2025-9910 | Med | 4.7 | < 8.18.7-r0 | 8.18.7-r0 | Sep 11, 2025 | Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and th | |
| CVE-2025-25012 | — | < 8.18.8-r10 | 8.18.8-r10 | Jun 25, 2025 | URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. |
- CVE-2025-37734Nov 12, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
- CVE-2025-25017Oct 10, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Cross-Site Scripting (XSS)
- CVE-2025-25018Oct 10, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to stored Cross-Site Scripting (XSS)
- affected < 8.18.8-r10fixed 8.18.8-r10
Insufficiently Protected Credentials in the Crowdstrike connector can lead to Crowdstrike credentials being leaked. A malicious user can access cached credentials from a Crowdstrike connector in another space by creating and running a Crowdstrike connector in a space to which the
- CVE-2025-25009Oct 7, 2025affected < 8.18.8-r10fixed 8.18.8-r10
Improper Neutralization of Input During Web Page Generation in Kibana can lead to Stored XSS via case file upload.
- CVE-2025-11362Oct 7, 2025affected < 8.18.8-r0fixed 8.18.8-r0
Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that trigger
- affected < 0fixed 0
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denia
- affected < 8.18.7-r1fixed 8.18.7-r1
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A worka
- CVE-2025-58754Sep 12, 2025affected < 8.18.8-r1fixed 8.18.8-r1
Axios is a promise based HTTP client for the browser and Node.js. When Axios starting in version 0.28.0 and prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire
- affected < 8.18.7-r0fixed 8.18.7-r0
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and th
- CVE-2025-25012Jun 25, 2025affected < 8.18.8-r10fixed 8.18.8-r10
URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL.
Page 3 of 3