apk package
chainguard/logstash-8.18-env2yaml
pkg:apk/chainguard/logstash-8.18-env2yaml
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27142 | Med | 6.1 | < 8.18.8-r15 | 8.18.8-r15 | Mar 6, 2026 | Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap | |
| CVE-2026-27139 | Low | 2.5 | < 8.18.8-r15 | 8.18.8-r15 | Mar 6, 2026 | On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary | |
| CVE-2026-25679 | Hig | 7.5 | < 8.18.8-r15 | 8.18.8-r15 | Mar 6, 2026 | url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. | |
| CVE-2025-68121 | Cri | 10.0 | < 8.18.8-r10 | 8.18.8-r10 | Feb 5, 2026 | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and | |
| CVE-2025-61732 | — | < 8.18.8-r10 | 8.18.8-r10 | Feb 5, 2026 | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | ||
| CVE-2025-14762 | Med | 5.3 | < 8.18.8-r5 | 8.18.8-r5 | Dec 17, 2025 | Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitiga | |
| CVE-2025-67735 | — | < 8.18.8-r4 | 8.18.8-r4 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2025-61727 | — | < 8.18.8-r3 | 8.18.8-r3 | Dec 3, 2025 | An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. | ||
| CVE-2025-61729 | — | < 8.18.8-r3 | 8.18.8-r3 | Dec 2, 2025 | Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a | ||
| CVE-2025-61921 | — | < 8.18.8-r2 | 8.18.8-r2 | Oct 10, 2025 | Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the respon | ||
| CVE-2025-61919 | — | < 8.18.8-r2 | 8.18.8-r2 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large | ||
| CVE-2025-61780 | — | < 8.18.8-r2 | 8.18.8-r2 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca | ||
| CVE-2025-61772 | — | < 8.18.8-r1 | 8.18.8-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin | ||
| CVE-2025-61771 | — | < 8.18.8-r1 | 8.18.8-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request | ||
| CVE-2025-61770 | — | < 8.18.8-r1 | 8.18.8-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid | ||
| CVE-2025-58057 | — | < 8.18.6-r1 | 8.18.6-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s | ||
| CVE-2025-58056 | — | < 8.18.6-r1 | 8.18.6-r1 | Sep 3, 2025 | Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch |
- affected < 8.18.8-r15fixed 8.18.8-r15
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escap
- affected < 8.18.8-r15fixed 8.18.8-r15
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary
- affected < 8.18.8-r15fixed 8.18.8-r15
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
- affected < 8.18.8-r10fixed 8.18.8-r10
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and
- CVE-2025-61732Feb 5, 2026affected < 8.18.8-r10fixed 8.18.8-r10
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- affected < 8.18.8-r5fixed 8.18.8-r5
Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitiga
- CVE-2025-67735Dec 16, 2025affected < 8.18.8-r4fixed 8.18.8-r4
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- CVE-2025-61727Dec 3, 2025affected < 8.18.8-r3fixed 8.18.8-r3
An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.
- CVE-2025-61729Dec 2, 2025affected < 8.18.8-r3fixed 8.18.8-r3
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a
- CVE-2025-61921Oct 10, 2025affected < 8.18.8-r2fixed 8.18.8-r2
Sinatra is a domain-specific language for creating web applications in Ruby. In versions prior to 4.2.0, there is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the respon
- CVE-2025-61919Oct 10, 2025affected < 8.18.8-r2fixed 8.18.8-r2
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large
- CVE-2025-61780Oct 10, 2025affected < 8.18.8-r2fixed 8.18.8-r2
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca
- CVE-2025-61772Oct 7, 2025affected < 8.18.8-r1fixed 8.18.8-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin
- CVE-2025-61771Oct 7, 2025affected < 8.18.8-r1fixed 8.18.8-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request
- CVE-2025-61770Oct 7, 2025affected < 8.18.8-r1fixed 8.18.8-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid
- CVE-2025-58057Sep 3, 2025affected < 8.18.6-r1fixed 8.18.6-r1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s
- CVE-2025-58056Sep 3, 2025affected < 8.18.6-r1fixed 8.18.6-r1
Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch