apk package

chainguard/logstash-9.1-bitnami-compat

pkg:apk/chainguard/logstash-9.1-bitnami-compat

Vulnerabilities (40)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-42256	Med	6.5	< 9.1.10-r7	9.1.10-r7	May 9, 2026	Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a com
CVE-2026-34480	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 10, 2026	Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene
CVE-2026-34479	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 10, 2026	The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downs
CVE-2026-34477	Med	5.9	< 9.1.10-r6	9.1.10-r6	Apr 10, 2026	The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
CVE-2026-39324	Cri	9.8	< 9.1.10-r6	9.1.10-r6	Apr 7, 2026	Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of reject
CVE-2026-35611	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 7, 2026	Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic b
CVE-2026-35554	Hig	8.7	< 9.1.10-r6	9.1.10-r6	Apr 7, 2026	A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
CVE-2026-34835	Med	4.8	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and
CVE-2026-34827	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches
CVE-2026-32762	Med	4.8	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally
CVE-2026-34831	Med	4.8	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length
CVE-2026-34830	Med	5.9	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the head
CVE-2026-34829	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HT
CVE-2026-34826	Med	5.3	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c
CVE-2026-34786	Med	5.3	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re
CVE-2026-34785	Hig	7.5	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path
CVE-2026-34763	Med	5.3	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,
CVE-2026-34230	Med	5.3	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl
CVE-2026-26961	Low	3.7	< 9.1.10-r6	9.1.10-r6	Apr 2, 2026	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel
CVE-2026-33870		—	< 9.1.10-r5	9.1.10-r5	Mar 27, 2026	Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

CVE-2026-42256MedMay 9, 2026
affected < 9.1.10-r7fixed 9.1.10-r7
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a com
CVE-2026-34480HigApr 10, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whene
CVE-2026-34479HigApr 10, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downs
CVE-2026-34477MedApr 10, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName
CVE-2026-39324CriApr 7, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles decryption failures when configured with secrets:. If cookie decryption fails, the implementation falls back to a default decoder instead of reject
CVE-2026-35611HigApr 7, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic b
CVE-2026-35554HigApr 7, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch
CVE-2026-34835MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and
CVE-2026-34827HigApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches
CVE-2026-32762MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally
CVE-2026-34831MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length
CVE-2026-34830MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the head
CVE-2026-34829HigApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HT
CVE-2026-34826MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte c
CVE-2026-34786MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a re
CVE-2026-34785HigApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path
CVE-2026-34763MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or .,
CVE-2026-34230MedApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Defl
CVE-2026-26961LowApr 2, 2026
affected < 9.1.10-r6fixed 9.1.10-r6
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack sel
CVE-2026-33870Mar 27, 2026
affected < 9.1.10-r5fixed 9.1.10-r5
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

Page 1 of 2