This issue is related to docker image elastic-agent-complete (8.12.1, 8.12.2)
According the CVE-2023-4228 the Node.js 1.1.9 version is vulnerable.
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Base Score: 9.8 CRITICAL
Please remediate the vulnerability and provide latest image without vulnerability.
Hi @miksonx, thank you for letting us know. Elastic accepts reports / information about security vulnerabilities in Elastic products via security@elastic.co. Could you please send an email to this address? This would kick off the process of addressing this issue.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.