Vulnerability found in logstash-oss:8.13.2

[Skyapip]

On scanning the logstash-oss:8.13.2 docker image, found the below vulnerability in it.

<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

Type | Severity | CVSS | CVE | Package Name | Package Version | Fix Status -- | -- | -- | -- | -- | -- | -- Jar | Critical | 9.8 | CVE-2022-46337 | derby | 10.15.2.1 | fixed in: 10.17.1.0 Jar | High | 7.1 | CVE-2023-2976 | com.google.guava_guava | 25.1-android | fixed in: 32.0.0 Product | Medium | 5.5 | CVE-2022-45146 | java | 17.0.10 | fixed in: 1.0.2.4 Jar | Moderate | 5.3 | CVE-2024-29025 | io.netty_netty-codec-http | 4.1.100.Final | fixed in: 4.1.108.Final Jar | Medium | 4.7 | CVE-2023-35116 | com.fasterxml.jackson.core_jackson-databind | 2.15.2 | fixed in: 2.16.0 Jar | Medium | 4.7 | CVE-2023-35116 | com.fasterxml.jackson.core_jackson-databind | 2.15.3 | fixed in: 2.16.0 Package | Medium | 0 | CVE-2024-28834 | gnutls28 | 3.6.13-2ubuntu1.10 | fixed in: 3.6.13-2ubuntu1.11 Jar | Low | 3.7 | CVE-2020-9488 | org.apache.logging.log4j_log4j | 1.2-api-2 | fixed in: 2.3.2, 2.12.3, 2.13.2 Jar | Low | 3.3 | CVE-2020-8908 | com.google.guava_guava | 25.1-android | fixed in: 32.0.0

[jsvd]

Thank you for your report.

Elastic's security reporting guidelines are available at https://www.elastic.co/community/security. Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

[jsvd]

Can you share the security scanner being used? Thank you.