Vulnerability Reportelasticsearch:8.17.0

elasticsearch:8.17.0
DIGESTsha256:0681af5779b516b0652df86aa1db52e225f2d4e68bb3a3099534377b7f788739

Executive Summary

Last scanned:

Threat Score
100/100DANGEROUS
Reputation
TRUSTED

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit XXE in Apache Tika to read sensitive data or execute malicious requests via crafted PDFs, perform HTTP request smuggling via Netty to poison caches or bypass security controls, and cause denial of service via HTTP/2 frame floods. Disabling the ingest attachment plugin would mitigate the Tika-related vulnerabilities (CVE-2025-66516, CVE-2025-54988), but the Netty HTTP and SSL vulnerabilities are inherent to the server and require patching. Immediate upgrade of Elasticsearch and its dependencies is necessary to address these critical issues.

Vulnerabilities

Vulnerability Log

97 total
CVE IDAdjusted SeverityPackageExploit ProbabilityRisk Context
CVE-2025-66516CRITICAL10
org.apache.tika:tika-core
2.9.2
fixed in 3.2.2
79.8%
Actively Exploited
Directly ExposedContext importance: HIGH
CVE-2025-66516CRITICAL10
org.apache.tika:tika-parser-pdf-module
2.9.2
fixed in 3.2.2
79.8%
Actively Exploited
Directly ExposedContext importance: HIGH
CVE-2025-54988CRITICAL9.4
org.apache.tika:tika-parser-pdf-module
2.9.2
fixed in 3.2.2
3.0%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-42581HIGH8.33
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-33871HIGH7.5
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.1.132.Final, 4.2.11.Final
1.1%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2025-24970HIGH7.5
io.netty:netty-handler
4.1.115.Final
fixed in 4.1.118.Final
2.1%
Low-Moderate Risk
Directly ExposedContext importance: HIGH
CVE-2026-45674MEDIUM6.8
io.netty:netty-resolver-dns
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-47691MEDIUM6.8
io.netty:netty-resolver-dns
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-7962MEDIUM6.38
com.sun.mail:jakarta.mail
1.6.3
fixed in 1.6.8, 2.0.2
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-7962MEDIUM6.38
com.sun.mail:jakarta.mail
1.6.4
fixed in 1.6.8, 2.0.2
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-42583MEDIUM6.38
io.netty:netty-codec
4.1.115.Final
fixed in 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-58057MEDIUM6.38
io.netty:netty-codec
4.1.115.Final
fixed in 4.1.125.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-33870MEDIUM6.38
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.1.132.Final, 4.2.10.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-42585MEDIUM6.38
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-58056MEDIUM6.38
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.1.125.Final, 4.2.5.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-55163MEDIUM6.38
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.2.4.Final, 4.1.124.Final
1.0%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-42587MEDIUM6.38
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-48043MEDIUM6.38
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.1.135.Final, 4.2.15.Final
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-45416MEDIUM6.38
io.netty:netty-handler
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-50010MEDIUM6.38
io.netty:netty-handler
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42578MEDIUM6.38
io.netty:netty-handler-proxy
4.1.115.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-45292MEDIUM6.38
io.opentelemetry:opentelemetry-api
1.31.0
fixed in 1.62.0
0.8%
Theoretical Threat
Directly Exposed
CVE-2024-57699MEDIUM6.38
net.minidev:json-smart
2.5.0
fixed in 2.5.2
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2024-57699MEDIUM6.38
net.minidev:json-smart
2.5.1
fixed in 2.5.2
0.6%
Theoretical Threat
Directly ExposedContext importance: HIGH
CVE-2026-34479MEDIUM6.38
org.apache.logging.log4j:log4j-1.2-api
2.19.0
fixed in 2.25.4
0.5%
Theoretical Threat
Directly Exposed
CVE-2026-34480MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-34480MEDIUM6.38
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.4
0.9%
Theoretical Threat
Directly Exposed
CVE-2026-5588MEDIUM6.38
org.bouncycastle:bcpkix-jdk18on
1.78.1
fixed in 1.84
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-66566MEDIUM6.38
org.lz4:lz4-java
1.8.0
No fix yet
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-37731MEDIUM6.29
org.elasticsearch:elasticsearch
8.17.0
fixed in 8.19.8, 9.1.8, 9.2.2
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-42579MEDIUM6.18
io.netty:netty-codec-dns
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.9%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-42584MEDIUM6.18
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.7%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2025-4802MEDIUM5.95
libc-bin
2.31-0ubuntu9.16
fixed in 2.31-0ubuntu9.18
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-4802MEDIUM5.95
libc6
2.31-0ubuntu9.16
fixed in 2.31-0ubuntu9.18
0.6%
Theoretical Threat
Directly Exposed
CVE-2024-26461MEDIUM5.9
libgssapi-krb5-2
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2024-26461MEDIUM5.9
libk5crypto3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2024-26461MEDIUM5.9
libkrb5-3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2024-26461MEDIUM5.9
libkrb5support0
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2026-45673MEDIUM5.78
io.netty:netty-resolver-dns
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-24528MEDIUM5.52
libgssapi-krb5-2
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-24528MEDIUM5.52
libk5crypto3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-24528MEDIUM5.52
libkrb5-3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-24528MEDIUM5.52
libkrb5support0
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.6%
Theoretical Threat
Directly Exposed
CVE-2025-67735MEDIUM5.52
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.8.Final, 4.1.129.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-41417MEDIUM5.52
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.1.133.Final, 4.2.13.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-42580MEDIUM5.52
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.13.Final, 4.1.133.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-0636MEDIUM5.52
org.bouncycastle:bcprov-jdk18on
1.78.1
fixed in 1.84
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-68384MEDIUM5.52
org.elasticsearch.plugin:x-pack-security
8.17.0
fixed in 8.19.9, 9.1.9, 9.2.3
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-12183MEDIUM5.52
org.lz4:lz4-java
1.8.0
fixed in 1.8.1
0.6%
Theoretical Threat
Directly Exposed
CVE-2026-54512MEDIUM5.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 3.1.4, 2.21.4
0.6%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-54513MEDIUM5.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 2.21.4, 3.1.4
0.7%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2026-44249MEDIUM5.5
io.netty:netty-handler
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.6%
Theoretical Threat
Directly ExposedContext importance: MEDIUM
CVE-2024-12243MEDIUM5.3
libgnutls30
3.6.13-2ubuntu1.11
fixed in 3.6.13-2ubuntu1.12
1.2%
Low-Moderate Risk
Directly Exposed
CVE-2024-12133MEDIUM5.3
libtasn1-6
4.16.0-2
fixed in 4.16.0-2ubuntu0.1
1.1%
Low-Moderate Risk
Directly Exposed
CVE-2025-22227MEDIUM5.18
io.projectreactor.netty:reactor-netty-http
1.0.45
fixed in 1.3.0-M5, 1.2.8
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libgssapi-krb5-2
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2024-26458MEDIUM5.02
libgssapi-krb5-2
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libk5crypto3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2024-26458MEDIUM5.02
libk5crypto3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libkrb5-3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2024-26458MEDIUM5.02
libkrb5-3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-3576MEDIUM5.02
libkrb5support0
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.11
0.3%
Theoretical Threat
Directly Exposed
CVE-2024-26458MEDIUM5.02
libkrb5support0
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.9
0.8%
Theoretical Threat
Directly Exposed
CVE-2026-34477MEDIUM5.02
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-34477MEDIUM5.02
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.4
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-53864MEDIUM4.93
com.nimbusds:nimbus-jose-jwt
9.37.3
fixed in 10.0.2, 9.37.4
0.8%
Theoretical Threat
Directly Exposed
CVE-2025-37727MEDIUM4.84
org.elasticsearch:elasticsearch
8.17.0
fixed in 8.18.8, 8.19.5, 9.0.8, 9.1.5
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-0395MEDIUM4.67
libc-bin
2.31-0ubuntu9.16
fixed in 2.31-0ubuntu9.17
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-0395MEDIUM4.67
libc6
2.31-0ubuntu9.16
fixed in 2.31-0ubuntu9.17
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-29088MEDIUM4.67
libsqlite3-0
3.31.1-4ubuntu0.6
fixed in 3.31.1-4ubuntu0.7
0.2%
Theoretical Threat
Directly Exposed
CVE-2025-25193MEDIUM4.67
io.netty:netty-common
4.1.115.Final
fixed in 4.1.118.Final
0.4%
Theoretical Threat
Directly Exposed
CVE-2026-54514MEDIUM4.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 2.18.8, 2.21.4, 3.1.4
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-54515MEDIUM4.5
com.fasterxml.jackson.core:jackson-databind
2.15.0
fixed in 3.1.4, 2.18.9, 2.21.5, 2.22.1
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-50020MEDIUM4.5
io.netty:netty-codec-http
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.2%
Theoretical Threat
Directly Exposed
CVE-2026-47244MEDIUM4.5
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2026-50560MEDIUM4.5
io.netty:netty-codec-http2
4.1.115.Final
fixed in 4.2.15.Final, 4.1.135.Final
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-8885MEDIUM4.5
org.bouncycastle:bc-fips
1.0.2.5
fixed in 1.0.2.6, 2.0.1
0.5%
Theoretical Threat
Directly Exposed
CVE-2025-8916MEDIUM4.5
org.bouncycastle:bcpkix-jdk18on
1.78.1
fixed in 1.79
0.4%
Theoretical Threat
Directly Exposed
CVE-2025-31672MEDIUM4.4
org.apache.poi:poi-ooxml
5.2.5
fixed in 5.4.0
1.2%
Low-Moderate Risk
Directly Exposed
CVE-2025-68390MEDIUM4.17
org.elasticsearch.plugin:x-pack-core
8.17.0
fixed in 8.19.8, 9.1.8, 9.2.2
0.3%
Theoretical Threat
Directly Exposed
CVE-2025-68161MEDIUM4.08
org.apache.logging.log4j:log4j-core
2.12.4
fixed in 2.25.3
0.7%
Theoretical Threat
Directly Exposed
CVE-2025-68161MEDIUM4.08
org.apache.logging.log4j:log4j-core
2.19.0
fixed in 2.25.3
0.7%
Theoretical Threat
Directly Exposed
CVE-2024-13176MEDIUM4
libssl1.1
1.1.1f-1ubuntu2.23
fixed in 1.1.1f-1ubuntu2.24
0.6%
Theoretical Threat
Directly Exposed
CVE-2024-3596LOW3.73
libgssapi-krb5-2
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.8
14.9%
High Exploitation Risk
Post-Exploit
CVE-2024-3596LOW3.73
libk5crypto3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.8
14.9%
High Exploitation Risk
Post-Exploit
CVE-2024-3596LOW3.73
libkrb5-3
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.8
14.9%
High Exploitation Risk
Post-Exploit
CVE-2024-3596LOW3.73
libkrb5support0
1.17-6ubuntu4.7
fixed in 1.17-6ubuntu4.8
14.9%
High Exploitation Risk
Post-Exploit
CVE-2024-9143LOW3.7
libssl1.1
1.1.1f-1ubuntu2.23
fixed in 1.1.1f-1ubuntu2.24
6.0%
Low-Moderate Risk
Directly Exposed
CVE-2025-48924LOW3.7
org.apache.commons:commons-lang3
3.14.0
fixed in 3.18.0
2.2%
Low-Moderate Risk
Directly Exposed
CVE-2025-48924LOW3.7
org.apache.commons:commons-lang3
3.9
fixed in 3.18.0
2.2%
Low-Moderate Risk
Directly Exposed
CVE-2025-30258LOW2.4
gpgv
2.2.19-3ubuntu2.2
fixed in 2.2.19-3ubuntu2.4
0.2%
Theoretical Threat
Post-Exploit
CVE-2024-13176LOW2.4
openssl
1.1.1f-1ubuntu2.23
fixed in 1.1.1f-1ubuntu2.24
0.6%
Theoretical Threat
Post-Exploit
CVE-2025-14813LOW2.29
org.bouncycastle:bcprov-jdk18on
1.78.1
fixed in 1.80.2, 1.81.1, 1.84
0.3%
Theoretical Threat
Post-Exploit
CVE-2024-9143LOW2.22
openssl
1.1.1f-1ubuntu2.23
fixed in 1.1.1f-1ubuntu2.24
6.0%
Low-Moderate Risk
Post-Exploit
GHSA-72hv-8253-57qqNONE0
com.fasterxml.jackson.core:jackson-core
2.15.0
fixed in 2.21.1, 2.18.6
Not Applicable
GHSA-72hv-8253-57qqNONE0
com.fasterxml.jackson.core:jackson-core
2.17.2
fixed in 2.21.1, 2.18.6
Not Applicable

Want to check another image? Run a full scan with the Docker Security Scanner.