Filtered by vendor Elastic
Subscribe
Total
190 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-8445 | 1 Elastic | 1 X-pack | 2025-04-20 | 2.1 LOW | 5.5 MEDIUM |
| An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates. | |||||
| CVE-2016-1000220 | 1 Elastic | 1 Kibana | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. | |||||
| CVE-2016-1000219 | 1 Elastic | 1 Kibana | 2025-04-20 | 5.0 MEDIUM | 7.5 HIGH |
| Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. | |||||
| CVE-2016-10364 | 1 Elastic | 1 Kibana | 2025-04-20 | 4.0 MEDIUM | 6.5 MEDIUM |
| With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. | |||||
| CVE-2017-8449 | 1 Elastic | 1 X-pack | 2025-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. | |||||
| CVE-2015-4093 | 1 Elastic | 1 Kibana | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-4152 | 1 Elastic | 1 Logstash | 2025-04-12 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option. | |||||
| CVE-2015-8131 | 1 Elastic | 1 Kibana | 2025-04-12 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2014-4326 | 1 Elastic | 1 Logstash | 2025-04-12 | 7.5 HIGH | N/A |
| Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. | |||||
| CVE-2024-23444 | 1 Elastic | 1 Elasticsearch | 2025-04-04 | N/A | 4.9 MEDIUM |
| It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation. | |||||
| CVE-2022-38774 | 2 Elastic, Microsoft | 3 Endgame, Endpoint Security, Windows | 2025-04-02 | N/A | 7.8 HIGH |
| An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | |||||
| CVE-2022-38775 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2025-04-02 | N/A | 7.8 HIGH |
| An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | |||||
| CVE-2022-38778 | 2 Decode-uri-component Project, Elastic | 2 Decode-uri-component, Kibana | 2025-03-25 | N/A | 6.5 MEDIUM |
| A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process. | |||||
| CVE-2022-38777 | 2 Elastic, Microsoft | 3 Endgame, Endpoint Security, Windows | 2025-03-25 | N/A | 7.8 HIGH |
| An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | |||||
| CVE-2024-37279 | 1 Elastic | 1 Kibana | 2025-03-13 | N/A | 4.3 MEDIUM |
| A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. | |||||
| CVE-2024-43709 | 1 Elastic | 1 Elasticsearch | 2025-02-21 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. | |||||
| CVE-2023-46672 | 1 Elastic | 1 Logstash | 2025-02-13 | N/A | 8.4 HIGH |
| An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: * Logstash is configured to log in JSON format https://www.elastic.co/guide/en/logstash/current/running-logstash-command-line.html , which is not the default logging format. * Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration. | |||||
| CVE-2023-31419 | 1 Elastic | 1 Elasticsearch | 2025-02-13 | N/A | 6.5 MEDIUM |
| A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. | |||||
| CVE-2023-31417 | 1 Elastic | 1 Elasticsearch | 2025-02-13 | N/A | 4.1 MEDIUM |
| Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. | |||||
| CVE-2024-12539 | 1 Elastic | 1 Elasticsearch | 2025-02-04 | N/A | 6.5 MEDIUM |
| An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. | |||||