VYPR

apk package

chainguard/logstash-9.0

pkg:apk/chainguard/logstash-9.0

Vulnerabilities (50)

  • CVE-2026-32762MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally

  • CVE-2026-34831MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length

  • CVE-2026-34830MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the head

  • CVE-2026-34829HigApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HT

  • CVE-2026-34826MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c

  • CVE-2026-34786MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re

  • CVE-2026-34785HigApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path

  • CVE-2026-34763MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,

  • CVE-2026-34230MedApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl

  • CVE-2026-26961LowApr 2, 2026
    affected < 9.0.8-r20fixed 9.0.8-r20

    Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel

  • CVE-2026-33870Mar 27, 2026
    affected < 9.0.8-r24fixed 9.0.8-r24

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-25500Feb 18, 2026
    affected < 9.0.8-r11fixed 9.0.8-r11

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g.

  • CVE-2026-22860Feb 18, 2026
    affected < 9.0.8-r11fixed 9.0.8-r11

    Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root stri

  • CVE-2025-33042Feb 13, 2026
    affected < 9.0.8-r10fixed 9.0.8-r10

    Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas. This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0. Users are recommended to upgrad

  • CVE-2026-25765Feb 9, 2026
    affected < 9.0.8-r11fixed 9.0.8-r11

    Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per

  • CVE-2025-68161Dec 18, 2025
    affected < 9.0.8-r20fixed 9.0.8-r20

    The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName co

  • CVE-2025-14762MedDec 17, 2025
    affected < 9.0.8-r6fixed 9.0.8-r6

    Missing cryptographic key commitment in the AWS SDK for Ruby may allow a user with write access to the S3 bucket to introduce a new EDK that decrypts to different plaintext when the encrypted data key is stored in an "instruction file" instead of S3's metadata record. To mitiga

  • CVE-2025-67735Dec 16, 2025
    affected < 9.0.8-r17fixed 9.0.8-r17

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-66566HigDec 5, 2025
    affected < 9.0.8-r17fixed 9.0.8-r17

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

  • CVE-2025-61727Dec 3, 2025
    affected < 9.0.8-r3fixed 9.0.8-r3

    An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.