elasticsearch

Patched

Databases & Caching from mirror.gcr.io/library/elasticsearch

Pull Reference

ghcr.io/verity-org/library/elasticsearch

docker pull ghcr.io/verity-org/library/elasticsearch

Copa-Patched Image

Patched in-place from the upstream image using Copa . OS-level vulnerabilities are fixed without rebuilding \u2014 same layers, same behavior, fewer CVEs.

Supply Chain

Full compliance details

Signed SLSA L3 SBOM Rekor

Verify this artifact

Cosign signature

cosign verify \
  --certificate-identity-regexp "https://github.com/verity-org/verity/.github/workflows/" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  ghcr.io/verity-org/library/elasticsearch:9.3.0

Build provenance

gh attestation verify \
  oci://ghcr.io/verity-org/library/elasticsearch:9.3.0 \
  --owner verity-org

Vulnerability Scan

Found 107 vulnerabilit ies in the original image. 3 fixed by Copa. 104 remaining after patching.

9HIGH48MEDIUM50LOW

Fix available — pending patch

These vulnerabilities have upstream fixes but could not be automatically patched.

ID	Package	Installed	Fixed	Severity
CVE-2026-33870	io.netty:netty-codec-http	4.1.130.Final	4.1.132.Final, 4.2.10.Final	HIGH
CVE-2026-33870	io.netty:netty-codec-http	4.1.130.Final	4.1.132.Final, 4.2.10.Final	HIGH
CVE-2026-33870	io.netty:netty-codec-http	4.1.130.Final	4.1.132.Final, 4.2.10.Final	HIGH
CVE-2026-33870	io.netty:netty-codec-http	4.1.130.Final	4.1.132.Final, 4.2.10.Final	HIGH
CVE-2026-33871	io.netty:netty-codec-http2	4.1.130.Final	4.1.132.Final, 4.2.11.Final	HIGH
CVE-2026-33871	io.netty:netty-codec-http2	4.1.130.Final	4.1.132.Final, 4.2.11.Final	HIGH
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.15.0	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.17.2	2.18.6, 2.21.1, 3.1.0	MEDIUM
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.17.2	2.18.6, 2.21.1, 3.1.0	MEDIUM
CVE-2025-22227	io.projectreactor.netty:reactor-netty-http	1.0.45	1.3.0-M5, 1.2.8	MEDIUM
CVE-2025-48924	org.apache.commons:commons-lang3	3.9	3.18.0	MEDIUM
CVE-2025-48924	org.apache.commons:commons-lang3	3.9	3.18.0	MEDIUM
CVE-2025-68161	org.apache.logging.log4j:log4j-core	2.19.0	2.25.3	MEDIUM
CVE-2025-68161	org.apache.logging.log4j:log4j-core	2.25.0	2.25.3	MEDIUM

Awaiting upstream fix

No fix is available yet for these vulnerabilities.

ID	Package	Installed	Severity
CVE-2026-4424	libarchive	3.5.3-7.el9_7	HIGH
CVE-2026-27135	libnghttp2	1.43.0-6.el9	HIGH
CVE-2025-5278	coreutils-single	8.32-39.el9	MEDIUM
CVE-2025-14017	curl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-1965	curl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3783	curl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3784	curl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3805	curl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2025-14087	glib2	2.68.4-18.el9_7.1	MEDIUM
CVE-2025-14512	glib2	2.68.4-18.el9_7.1	MEDIUM
CVE-2026-1484	glib2	2.68.4-18.el9_7.1	MEDIUM
CVE-2026-1489	glib2	2.68.4-18.el9_7.1	MEDIUM
CVE-2026-4437	glibc	2.34-231.el9_7.10	MEDIUM
CVE-2026-4437	glibc-common	2.34-231.el9_7.10	MEDIUM
CVE-2026-4437	glibc-minimal-langpack	2.34-231.el9_7.10	MEDIUM
CVE-2025-68972	gnupg2	2.3.3-5.el9_7	MEDIUM
CVE-2023-30571	libarchive	3.5.3-7.el9_7	MEDIUM
CVE-2025-60753	libarchive	3.5.3-7.el9_7	MEDIUM
CVE-2026-4426	libarchive	3.5.3-7.el9_7	MEDIUM
CVE-2026-5121	libarchive	3.5.3-7.el9_7	MEDIUM
CVE-2025-14017	libcurl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-1965	libcurl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3783	libcurl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3784	libcurl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-3805	libcurl-minimal	7.76.1-35.el9_7.3	MEDIUM
CVE-2026-0990	libxml2	2.9.13-14.el9_7	MEDIUM
CVE-2026-1757	libxml2	2.9.13-14.el9_7	MEDIUM
CVE-2026-22185	openldap	2.6.8-4.el9	MEDIUM
CVE-2026-2100	p11-kit	0.25.3-3.el9_5	MEDIUM
CVE-2026-2100	p11-kit-trust	0.25.3-3.el9_5	MEDIUM
CVE-2026-29111	systemd-libs	252-55.el9_7.7	MEDIUM
CVE-2026-4105	systemd-libs	252-55.el9_7.7	MEDIUM
CVE-2024-11053	curl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2024-7264	curl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2024-9681	curl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2023-4156	gawk	5.1.0-6.el9	LOW
CVE-2023-32636	glib2	2.68.4-18.el9_7.1	LOW
CVE-2025-3360	glib2	2.68.4-18.el9_7.1	LOW
CVE-2025-7039	glib2	2.68.4-18.el9_7.1	LOW
CVE-2026-0988	glib2	2.68.4-18.el9_7.1	LOW
CVE-2026-1485	glib2	2.68.4-18.el9_7.1	LOW
CVE-2026-4438	glibc	2.34-231.el9_7.10	LOW
CVE-2026-4438	glibc-common	2.34-231.el9_7.10	LOW
CVE-2026-4438	glibc-minimal-langpack	2.34-231.el9_7.10	LOW
CVE-2022-3219	gnupg2	2.3.3-5.el9_7	LOW
CVE-2025-30258	gnupg2	2.3.3-5.el9_7	LOW
CVE-2026-24883	gnupg2	2.3.3-5.el9_7	LOW
CVE-2025-1632	libarchive	3.5.3-7.el9_7	LOW
CVE-2025-5915	libarchive	3.5.3-7.el9_7	LOW
CVE-2025-5916	libarchive	3.5.3-7.el9_7	LOW
CVE-2025-5917	libarchive	3.5.3-7.el9_7	LOW
CVE-2025-5918	libarchive	3.5.3-7.el9_7	LOW
CVE-2024-11053	libcurl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2024-7264	libcurl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2024-9681	libcurl-minimal	7.76.1-35.el9_7.3	LOW
CVE-2022-27943	libgcc	11.5.0-11.el9	LOW
CVE-2025-11961	libpcap	14:1.10.0-4.el9	LOW
CVE-2022-27943	libstdc++	11.5.0-11.el9	LOW
CVE-2025-13151	libtasn1	4.16.0-9.el9	LOW
CVE-2023-45322	libxml2	2.9.13-14.el9_7	LOW
CVE-2024-34459	libxml2	2.9.13-14.el9_7	LOW
CVE-2025-27113	libxml2	2.9.13-14.el9_7	LOW
CVE-2025-6170	libxml2	2.9.13-14.el9_7	LOW
CVE-2026-0989	libxml2	2.9.13-14.el9_7	LOW
CVE-2026-0992	libxml2	2.9.13-14.el9_7	LOW
CVE-2023-50495	ncurses-base	6.2-12.20210508.el9	LOW
CVE-2023-50495	ncurses-libs	6.2-12.20210508.el9	LOW
CVE-2026-2673	openssl-fips-provider	3.0.7-8.el9	LOW
CVE-2026-2673	openssl-fips-provider-so	3.0.7-8.el9	LOW
CVE-2024-13176	openssl-libs	1:3.5.1-7.el9_7	LOW
CVE-2024-41996	openssl-libs	1:3.5.1-7.el9_7	LOW
CVE-2025-9232	openssl-libs	1:3.5.1-7.el9_7	LOW
CVE-2026-2673	openssl-libs	1:3.5.1-7.el9_7	LOW
CVE-2022-41409	pcre2	10.40-6.el9	LOW
CVE-2022-41409	pcre2-syntax	10.40-6.el9	LOW
CVE-2024-0232	sqlite-libs	3.34.1-9.el9_7	LOW
CVE-2025-70873	sqlite-libs	3.34.1-9.el9_7	LOW
CVE-2021-4217	unzip	6.0-59.el9	LOW
CVE-2022-0529	unzip	6.0-59.el9	LOW
CVE-2022-0530	unzip	6.0-59.el9	LOW
CVE-2026-27171	zlib	1.2.11-40.el9	LOW

Source

Copa (in-place patch)

Platforms

linux/amd64, linux/arm64

Registry

ghcr.io/verity-org

Upstream

mirror.gcr.io/library/elasticsearch