Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN445
_____________________________________________________________________

DATE                : 29/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Elastic Package Registry versions
                                 prior to 1.38.0.

=====================================================================
https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081
_____________________________________________________________________


Elastic Package Registry 1.38.0 Security Update (ESA-2026-27)

ismisepaul (Paul) April 28, 2026, 9:11pm 1

Improper Verification of Cryptographic Signature in Elastic Package
Registry Leading to Package Integrity Bypass

Improper Verification of Cryptographic Signature (CWE-347) in Elastic
Package Registry could allow an attacker positioned to intercept
network traffic, or to otherwise influence the contents served to a
self-hosted registry, to substitute a tampered package without the
integrity check failing closed.


Affected Versions:

    All versions of the Elastic Package Registry up to and
including 1.37.0.


Affected Configurations:

    Self-hosted deployments that sync packages from an upstream
source (via the distribution tool or proxy mode).

Exploitation requires an attacker positioned to intercept or
modify network traffic between the self-hosted Elastic Package
Registry and its upstream source.


Not affected Configurations:

    Elastic's public package registry at https://epr.elastic.co
and deployments that pull packages directly from it.


Solutions and Mitigations:

The issue is resolved in Elastic Package Registry version 1.38.0.

Severity: CVSSv3.1: Medium ( 5.9 ) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE ID: CVE-2026-33467
Problem Type: CWE-347 - Improper Verification of Cryptographic Signature


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================