apk package
chainguard/kibana-8.19-bitnami
pkg:apk/chainguard/kibana-8.19-bitnami
Vulnerabilities (131)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-68665 | — | < 8.19.9-r2 | 8.19.9-r2 | Dec 23, 2025 | LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify | ||
| CVE-2025-68422 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re | ||
| CVE-2025-68386 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 18, 2025 | Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a | ||
| CVE-2025-68389 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 18, 2025 | Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request. | ||
| CVE-2025-68387 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han | ||
| CVE-2025-68385 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 18, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre | ||
| CVE-2025-14874 | — | < 8.19.8-r0 | 8.19.8-r0 | Dec 18, 2025 | A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser. | ||
| CVE-2025-68154 | — | < 0 | 0 | Dec 16, 2025 | systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com | ||
| CVE-2025-37732 | — | < 8.19.11-r0 | 8.19.11-r0 | Dec 15, 2025 | Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing | ||
| CVE-2025-65945 | — | < 8.19.8-r1 | 8.19.8-r1 | Dec 4, 2025 | auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us | ||
| CVE-2025-66030 | — | < 8.19.7-r2 | 8.19.7-r2 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. | ||
| CVE-2025-66031 | — | < 8.19.7-r2 | 8.19.7-r2 | Nov 26, 2025 | Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re | ||
| CVE-2025-12816 | — | < 8.19.7-r2 | 8.19.7-r2 | Nov 25, 2025 | An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s | ||
| CVE-2025-64756 | — | < 0 | 0 | Nov 17, 2025 | Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. | ||
| CVE-2025-13033 | Hig | 7.5 | < 8.19.5-r1 | 8.19.5-r1 | Nov 14, 2025 | A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m | |
| CVE-2025-13204 | — | < 8.19.15-r0 | 8.19.15-r0 | Nov 14, 2025 | npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue. | ||
| CVE-2025-64718 | — | < 8.19.7-r1 | 8.19.7-r1 | Nov 13, 2025 | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T | ||
| CVE-2025-37734 | — | < 8.19.11-r0 | 8.19.11-r0 | Nov 12, 2025 | Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant. | ||
| CVE-2025-48985 | — | < 8.19.9-r0 | 8.19.9-r0 | Nov 7, 2025 | A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48 | ||
| CVE-2025-12735 | — | < 8.19.15-r0 | 8.19.15-r0 | Nov 5, 2025 | The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object |
- CVE-2025-68665Dec 23, 2025affected < 8.19.9-r2fixed 8.19.9-r2
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ify
- CVE-2025-68422Dec 18, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully re
- CVE-2025-68386Dec 18, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a
- CVE-2025-68389Dec 18, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
- CVE-2025-68387Dec 18, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function han
- CVE-2025-68385Dec 18, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a pre
- CVE-2025-14874Dec 18, 2025affected < 8.19.8-r0fixed 8.19.8-r0
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
- CVE-2025-68154Dec 16, 2025affected < 0fixed 0
systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell com
- CVE-2025-37732Dec 15, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to render HTML tags within a user’s browser via the integration package upload functionality. This issue is related to ESA-2025-17 (CVE-2025-25018) bypassing
- CVE-2025-65945Dec 4, 2025affected < 8.19.8-r1fixed 8.19.8-r1
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they us
- CVE-2025-66030Nov 26, 2025affected < 8.19.7-r2fixed 8.19.7-r2
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs.
- CVE-2025-66031Nov 26, 2025affected < 8.19.7-r2fixed 8.19.7-r2
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded re
- CVE-2025-12816Nov 25, 2025affected < 8.19.7-r2fixed 8.19.7-r2
An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and s
- CVE-2025-64756Nov 17, 2025affected < 0fixed 0
Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.
- affected < 8.19.5-r1fixed 8.19.5-r1
A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to m
- CVE-2025-13204Nov 14, 2025affected < 8.19.15-r0fixed 8.19.15-r0
npm package `expr-eval` is vulnerable to Prototype Pollution. An attacker with access to express eval interface can use JavaScript prototype-based inheritance model to achieve arbitrary code execution. The npm expr-eval-fork package resolves this issue.
- CVE-2025-64718Nov 13, 2025affected < 8.19.7-r1fixed 8.19.7-r1
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. T
- CVE-2025-37734Nov 12, 2025affected < 8.19.11-r0fixed 8.19.11-r0
Origin Validation Error in Kibana can lead to Server-Side Request Forgery via a forged Origin HTTP header processed by the Observability AI Assistant.
- CVE-2025-48985Nov 7, 2025affected < 8.19.9-r0fixed 8.19.9-r0
A vulnerability in Vercel’s AI SDK has been fixed in versions 5.0.52, 5.1.0-beta.9, and 6.0.0-beta. This issue may have allowed users to bypass filetype whitelists when uploading files. All users are encouraged to upgrade. More details: https://vercel.com/changelog/cve-2025-48
- CVE-2025-12735Nov 5, 2025affected < 8.19.15-r0fixed 8.19.15-r0
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted context object or use MEMBER of the context object
Page 6 of 7