Filtered by vendor Elastic
Subscribe
Total
159 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-3820 | 1 Elastic | 1 Kibana | 2023-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2018-3821 | 1 Elastic | 1 Kibana | 2023-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2019-7614 | 1 Elastic | 1 Elasticsearch | 2023-03-03 | 4.3 MEDIUM | 5.9 MEDIUM |
| A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user. | |||||
| CVE-2018-3830 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2023-03-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
| CVE-2019-7616 | 1 Elastic | 1 Kibana | 2023-03-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. | |||||
| CVE-2019-7615 | 1 Elastic | 1 Apm-agent-ruby | 2023-03-03 | 5.8 MEDIUM | 7.4 HIGH |
| A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent. | |||||
| CVE-2022-38779 | 1 Elastic | 1 Kibana | 2023-03-03 | N/A | 6.1 MEDIUM |
| An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. | |||||
| CVE-2020-10743 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2023-02-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking. | |||||
| CVE-2020-7019 | 1 Elastic | 1 Elasticsearch | 2023-01-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index. | |||||
| CVE-2021-22137 | 1 Elastic | 1 Elasticsearch | 2022-11-04 | 4.3 MEDIUM | 5.3 MEDIUM |
| In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. | |||||
| CVE-2021-22147 | 1 Elastic | 1 Elasticsearch | 2022-11-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. | |||||
| CVE-2021-22149 | 1 Elastic | 1 Enterprise Search | 2022-10-25 | 6.5 MEDIUM | 8.8 HIGH |
| Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users. | |||||
| CVE-2021-22134 | 2 Elastic, Oracle | 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite | 2022-10-25 | 4.0 MEDIUM | 4.3 MEDIUM |
| A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. | |||||
| CVE-2022-23712 | 1 Elastic | 1 Elasticsearch | 2022-10-05 | 5.0 MEDIUM | 7.5 HIGH |
| A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. | |||||
| CVE-2022-23715 | 1 Elastic | 1 Elastic Cloud Enterprise | 2022-08-31 | N/A | 6.5 MEDIUM |
| A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore | |||||
| CVE-2022-23713 | 1 Elastic | 1 Kibana | 2022-07-14 | 4.3 MEDIUM | 6.1 MEDIUM |
| A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. | |||||
| CVE-2021-22146 | 1 Elastic | 1 Elasticsearch | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster. | |||||
| CVE-2021-22138 | 1 Elastic | 1 Logstash | 2022-06-04 | 4.3 MEDIUM | 3.7 LOW |
| In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data. | |||||
| CVE-2020-7020 | 1 Elastic | 1 Elasticsearch | 2022-06-03 | 3.5 LOW | 3.1 LOW |
| Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices. | |||||
| CVE-2021-22132 | 2 Elastic, Oracle | 2 Elasticsearch, Communications Cloud Native Core Automated Test Suite | 2022-05-12 | 2.1 LOW | 4.8 MEDIUM |
| Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2 | |||||