apk package
chainguard/logstash-compat
pkg:apk/chainguard/logstash-compat
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-45614 | — | < 8.15.2-r1 | 8.15.2-r1 | Sep 19, 2024 | Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affect | ||
| CVE-2024-34158 | Hig | 7.5 | < 8.15.1-r0 | 8.15.1-r0 | Sep 6, 2024 | Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. | |
| CVE-2024-34156 | Hig | 7.5 | < 8.15.1-r0 | 8.15.1-r0 | Sep 6, 2024 | Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. | |
| CVE-2024-34155 | Med | 4.3 | < 8.15.1-r0 | 8.15.1-r0 | Sep 6, 2024 | Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. | |
| CVE-2024-43398 | — | < 8.15.0-r2 | 8.15.0-r2 | Aug 22, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to t | ||
| CVE-2024-43380 | — | < 8.15.0-r1 | 8.15.0-r1 | Aug 19, 2024 | fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the threa | ||
| CVE-2024-41946 | — | < 8.15.0-r2 | 8.15.0-r2 | Aug 1, 2024 | REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability. | ||
| CVE-2024-41123 | — | < 8.15.0-r2 | 8.15.0-r2 | Aug 1, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. | ||
| CVE-2024-39908 | — | < 8.15.0-r0 | 8.15.0-r0 | Jul 16, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or | ||
| CVE-2024-24791 | Hig | 7.5 | < 8.14.1-r1 | 8.14.1-r1 | Jul 2, 2024 | The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co | |
| CVE-2024-24789 | — | < 8.13.4-r2 | 8.13.4-r2 | Jun 5, 2024 | The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac | ||
| CVE-2024-24790 | — | < 8.13.4-r2 | 8.13.4-r2 | Jun 5, 2024 | The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. | ||
| CVE-2024-35176 | — | < 8.15.0-r0 | 8.15.0-r0 | May 16, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t | ||
| CVE-2024-30172 | Hig | 7.5 | < 8.15.0-r0 | 8.15.0-r0 | May 14, 2024 | An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key. | |
| CVE-2024-30171 | Med | 5.9 | < 8.15.0-r0 | 8.15.0-r0 | May 14, 2024 | An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing. | |
| CVE-2024-29857 | Hig | 7.5 | < 8.15.0-r0 | 8.15.0-r0 | May 14, 2024 | An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during | |
| CVE-2024-27281 | Med | 4.5 | < 8.14.0-r0 | 8.14.0-r0 | May 14, 2024 | An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the cl | |
| CVE-2024-24788 | Med | 5.9 | < 8.13.4-r0 | 8.13.4-r0 | May 8, 2024 | A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop. | |
| CVE-2024-24787 | Med | 6.4 | < 8.13.4-r0 | 8.13.4-r0 | May 8, 2024 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. | |
| CVE-2024-34447 | Hig | 7.5 | < 8.15.0-r0 | 8.15.0-r0 | May 3, 2024 | An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici |
- CVE-2024-45614Sep 19, 2024affected < 8.15.2-r1fixed 8.15.2-r1
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users relying on proxy set variables is affect
- affected < 8.15.1-r0fixed 8.15.1-r0
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
- affected < 8.15.1-r0fixed 8.15.1-r0
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
- affected < 8.15.1-r0fixed 8.15.1-r0
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
- CVE-2024-43398Aug 22, 2024affected < 8.15.0-r2fixed 8.15.0-r2
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to t
- CVE-2024-43380Aug 19, 2024affected < 8.15.0-r1fixed 8.15.0-r1
fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the threa
- CVE-2024-41946Aug 1, 2024affected < 8.15.0-r2fixed 8.15.0-r2
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
- CVE-2024-41123Aug 1, 2024affected < 8.15.0-r2fixed 8.15.0-r2
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
- CVE-2024-39908Jul 16, 2024affected < 8.15.0-r0fixed 8.15.0-r0
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or
- affected < 8.14.1-r1fixed 8.14.1-r1
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the co
- CVE-2024-24789Jun 5, 2024affected < 8.13.4-r2fixed 8.13.4-r2
The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file with contents that vary depending on the implementation reading the file. The archive/zip pac
- CVE-2024-24790Jun 5, 2024affected < 8.13.4-r2fixed 8.13.4-r2
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
- CVE-2024-35176May 16, 2024affected < 8.15.0-r0fixed 8.15.0-r0
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t
- affected < 8.15.0-r0fixed 8.15.0-r0
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
- affected < 8.15.0-r0fixed 8.15.0-r0
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
- affected < 8.15.0-r0fixed 8.15.0-r0
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during
- affected < 8.14.0-r0fixed 8.14.0-r0
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the cl
- affected < 8.13.4-r0fixed 8.13.4-r0
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
- affected < 8.13.4-r0fixed 8.13.4-r0
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
- affected < 8.15.0-r0fixed 8.15.0-r0
An issue was discovered in the Bouncy Castle Crypto Package For Java before BC TLS Java 1.0.19 (ships with BC Java 1.78, BC Java (LTS) 2.73.6) and before BC FIPS TLS Java 1.0.19. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explici
Page 1 of 2