Skip to main content

Elastic

321 CVEs vendor

Monthly

CVE-2024-39810 MEDIUM This Month

Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Mattermost Denial Of Service
NVD
CVSS 3.1
4.9
EPSS
0.5%
CVE-2024-37287 HIGH This Week

A flaw allowing arbitrary code execution was discovered in Kibana. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Elastic RCE Kibana
NVD
CVSS 3.1
7.2
EPSS
1.6%
CVE-2024-37283 MEDIUM PATCH This Month

An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Elastic Agent
NVD
CVSS 4.0
6.5
EPSS
0.6%
CVE-2024-7610 MEDIUM This Month

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Elastic Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-23444 Maven HIGH PATCH This Week

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-37281 MEDIUM PATCH This Month

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-4839 LOW POC Monitor

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Elastic CSRF Lollms Webui
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2024-23443 MEDIUM This Month

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
4.9
EPSS
1.8%
CVE-2024-23442 MEDIUM This Month

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-37280 Maven MEDIUM PATCH This Month

A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Elastic Denial Of Service Elasticsearch
NVD
CVSS 3.1
4.9
EPSS
0.5%
CVE-2024-37279 MEDIUM This Month

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2024-23445 MEDIUM PATCH This Month

It was identified that if a cross-cluster API key. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Elasticsearch
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-35192 Go MEDIUM PATCH This Month

Trivy is a security scanner. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required. No vendor patch available.

Elastic Information Disclosure Google Microsoft
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-32134 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nasirahmed Forms to Zapier, Integromat, IFTTT, Workato, Automate.Io, elastic.Io, Built.Io,. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SQLi
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2024-23449 Maven MEDIUM PATCH This Month

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2024-23451 Maven MEDIUM PATCH This Month

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Elasticsearch
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-23450 Maven HIGH PATCH This Week

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-23448 Go HIGH PATCH This Week

An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Apm Server
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-23446 MEDIUM This Month

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-23791 HIGH This Week

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Otrs
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-43741 Go HIGH POC PATCH This Week

A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Elastic Authentication Bypass Elastic Ci Stack
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%
CVE-2023-43116 Go HIGH POC PATCH This Week

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to change ownership of arbitrary directories via the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elastic Ci Stack
NVD GitHub
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-46675 MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-46671 MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-6687 MEDIUM This Month

An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Agent
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-49922 Go MEDIUM PATCH This Month

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Beats
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-49923 MEDIUM This Month

An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Enterprise Search
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-46674 Maven HIGH PATCH This Week

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Elastic Deserialization Elasticsearch
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-46673 Maven HIGH PATCH This Week

It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2023-46672 MEDIUM This Month

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Logstash
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2023-45585 LOW Monitor

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiSIEM version 7.0.0, version 6.7.6 and below, version 6.6.3 and below, version 6.5.1 and below, version 6.4.2 and. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Fortisiem
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2023-31419 Maven HIGH PATCH This Week

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Denial Of Service Elastic Elasticsearch
NVD
CVSS 3.1
7.5
EPSS
60.7%
CVE-2023-31418 Maven HIGH PATCH This Week

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch Elastic Cloud Enterprise
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2023-31417 Maven MEDIUM PATCH This Month

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2023-46666 MEDIUM This Month

An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Python Authentication Bypass Elastic Sharepoint Online Python Connector
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-31421 HIGH This Week

It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Beats Elastic Agent Apm Server +1
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2023-31422 HIGH This Week

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-46667 HIGH This Week

An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Fleet Server
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2023-46668 CRITICAL Act Now

If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Endpoint
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2023-45807 Maven MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Opensearch
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-20034 HIGH PATCH This Week

Vulnerability in the Elasticsearch database used in the of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to access the Elasticsearch configuration database of an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Elastic Cisco Authentication Bypass Sd Wan
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-38387 MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic XSS Elastic Email Sender
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-30434 MEDIUM PATCH This Month

IBM Storage Scale (IBM Spectrum Scale 5.1.0.0 through 5.1.2.9, 5.1.3.0 through 5.1.6.1 and IBM Elastic Storage Systems 6.1.0.0 through 6.1.2.5, 6.1.3.0 through 6.1.6.0) could allow a local user to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Elastic Information Disclosure IBM Elastic Storage System Spectrum Scale
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-31415 HIGH This Week

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2023-31414 HIGH This Week

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic Kibana
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-21981 MEDIUM This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Oracle Authentication Bypass Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
4.9
EPSS
0.6%
CVE-2023-21844 MEDIUM PATCH This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Elastic Oracle Authentication Bypass Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-21824 MEDIUM PATCH This Month

Vulnerability in the Oracle Communications BRM - Elastic Charging Engine product of Oracle Communications Applications (component: Customer, Config, Pricing Manager). Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Elastic Oracle Authentication Bypass Communications Billing And Revenue Management Elastic Charging Engine Communications Cloud Native Core Binding Support Function +1
NVD
CVSS 3.1
4.4
EPSS
0.2%
CVE-2022-46174 Go MEDIUM PATCH This Month

efs-utils is a set of Utilities for Amazon Elastic File System (EFS). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Race Condition Information Disclosure Elastic Efs Utils Elastic File System Container Storage Interface Driver
NVD GitHub
CVSS 3.1
4.2
EPSS
0.6%
CVE-2022-38656 CRITICAL Act Now

HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Hcl Commerce
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2022-41917 MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Java Elastic Opensearch
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-41918 Maven MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Elastic Opensearch
NVD GitHub
CVSS 3.1
6.3
EPSS
0.4%
CVE-2022-42123 Maven HIGH PATCH This Week

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Elastic Digital Experience Platform Liferay Portal
NVD VulDB
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-21639 MEDIUM PATCH This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search Integration). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Oracle XSS Elastic Peoplesoft Enterprise
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-38299 MEDIUM PATCH This Month

An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Elastic Appsmith
NVD GitHub
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-23715 MEDIUM This Month

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Elastic Elastic Cloud Enterprise
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-35980 Maven HIGH PATCH This Week

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Elastic Opensearch
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2022-34844 HIGH This Week

In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Elastic Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Analytics +9
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-23714 HIGH This Week

A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Elastic Endpoint Security
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-23713 MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2022-31115 Ruby HIGH POC PATCH This Week

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Elastic Opensearch
NVD GitHub
CVSS 3.1
8.8
EPSS
1.5%
CVE-2022-34807 Maven MEDIUM This Month

Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Elastic Jenkins Elasticsearch Query
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2022-23712 Maven HIGH PATCH This Week

A Denial of Service flaw was discovered in Elasticsearch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Elasticsearch
NVD
CVSS 3.1
7.5
EPSS
7.4%
CVE-2022-23711 MEDIUM This Month

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-23709 MEDIUM This Month

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Kibana
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2022-23708 Maven MEDIUM PATCH This Month

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Elasticsearch
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-37939 npm LOW PATCH Monitor

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic IBM Atlassian Information Disclosure Kibana
NVD
CVSS 3.1
2.7
EPSS
0.4%
CVE-2021-37938 MEDIUM This Month

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Privilege Escalation Kibana
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2021-22149 HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Enterprise Search
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-22148 HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Enterprise Search
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2021-22147 Maven MEDIUM PATCH This Month

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Elasticsearch
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-23051 HIGH This Week

On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Big Ip Access Policy Manager Big Ip Advanced Firewall Manager Big Ip Advanced Web Application Firewall +8
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-22144 Maven MEDIUM PATCH This Month

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Elasticsearch Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
6.5
EPSS
2.2%
CVE-2021-22146 HIGH POC THREAT This Week

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
27.8%
CVE-2021-22145 Maven MEDIUM POC PATCH THREAT This Month

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Elastic Information Disclosure Elasticsearch Communications Cloud Native Core Automated Test Suite
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
76.2%
CVE-2021-32743 HIGH POC This Week

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Redis Elastic Information Disclosure Icinga Debian Linux
NVD GitHub
CVSS 3.1
8.8
EPSS
1.8%
CVE-2021-22140 HIGH This Week

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XXE Elastic App Search
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-22139 MEDIUM This Month

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2021-22137 Maven MEDIUM PATCH This Month

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
CVSS 3.1
5.3
EPSS
1.1%
CVE-2021-22136 LOW Monitor

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
CVSS 3.1
3.5
EPSS
0.3%
CVE-2021-22135 Maven MEDIUM PATCH This Month

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-31828 HIGH PATCH This Week

An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Elastic SSRF Open Distro
NVD GitHub
CVSS 3.1
7.1
EPSS
0.9%
CVE-2021-22997 HIGH This Week

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Big Iq Centralized Management
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22134 Maven MEDIUM PATCH This Month

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Elastic Information Disclosure Elasticsearch Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.3
EPSS
1.1%
CVE-2021-22133 Go LOW PATCH Monitor

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Apm Agent
NVD
CVSS 3.1
2.4
EPSS
0.5%
CVE-2021-1312 HIGH This Week

A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Elastic Denial Of Service Elastic Services Controller
NVD
CVSS 3.1
7.5
EPSS
2.5%
CVE-2021-2071 HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Elastic Oracle Information Disclosure Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2021-22132 Maven MEDIUM PATCH This Month

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Elastic Information Disclosure Elasticsearch Communications Cloud Native Core Automated Test Suite
NVD
CVSS 3.1
4.8
EPSS
1.2%
CVE-2020-27816 MEDIUM This Month

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana Openshift Container Platform
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2020-24303 Go MEDIUM PATCH This Month

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Elastic Grafana
NVD GitHub
CVSS 3.1
6.1
EPSS
2.0%
EPSS 0% CVSS 4.9
MEDIUM This Month

Mattermost versions 9.5.x <= 9.5.7 and 9.10.x <= 9.10.0 fail to time limit and size limit the CA path file in the ElasticSearch configuration which allows a System Role with access to the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Mattermost Denial Of Service
NVD
EPSS 2% CVSS 7.2
HIGH This Week

A flaw allowing arbitrary code execution was discovered in Kibana. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Elastic RCE +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Elastic Agent
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Elastic Denial Of Service
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 3.3
LOW POC Monitor

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Elastic CSRF Lollms Webui
NVD
EPSS 2% CVSS 4.9
MEDIUM This Month

A high-privileged user, allowed to create custom osquery packs 17 could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Elastic +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

It was identified that if a cross-cluster API key. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Elasticsearch
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Trivy is a security scanner. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required. No vendor patch available.

Elastic Information Disclosure Google +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nasirahmed Forms to Zapier, Integromat, IFTTT, Workato, Automate.Io, elastic.Io, Built.Io,. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic SQLi
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Elasticsearch
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the Elasticsearch node to crash. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Apm Server
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Otrs
NVD
EPSS 0% CVSS 7.0
HIGH POC PATCH This Week

A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the. Rated high severity (CVSS 7.0). Public exploit code available and no vendor patch available.

Elastic Authentication Bypass Elastic Ci Stack
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to change ownership of arbitrary directories via the. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elastic Ci Stack
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Agent
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Beats
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Enterprise Search
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Java Elastic Deserialization +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Logstash
NVD
EPSS 0% CVSS 3.3
LOW Monitor

An insertion of sensitive information into log file vulnerability [CWE-532] in FortiSIEM version 7.0.0, version 6.7.6 and below, version 6.6.3 and below, version 6.5.1 and below, version 6.4.2 and. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Fortisiem
NVD
EPSS 61% CVSS 7.5
HIGH PATCH This Week

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Stack Overflow Buffer Overflow Denial Of Service +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Denial Of Service Elasticsearch +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Python +2
NVD
EPSS 0% CVSS 7.5
HIGH This Week

It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elastic Beats +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 0% CVSS 8.1
HIGH This Week

An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Fleet Server
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Endpoint
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Opensearch
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Vulnerability in the Elasticsearch database used in the of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to access the Elasticsearch configuration database of an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Hard-coded Credentials vulnerability could allow attackers to gain access using credentials embedded in source code.

Elastic Cisco Authentication Bypass +1
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic XSS Elastic Email Sender
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

IBM Storage Scale (IBM Spectrum Scale 5.1.0.0 through 5.1.2.9, 5.1.3.0 through 5.1.6.1 and IBM Elastic Storage Systems 6.1.0.0 through 6.1.2.5, 6.1.3.0 through 6.1.6.0) could allow a local user to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Elastic Information Disclosure IBM +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Kibana version 8.7.0 contains an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Elastic +1
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Oracle Authentication Bypass +1
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Elastic Oracle Authentication Bypass +1
NVD
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Vulnerability in the Oracle Communications BRM - Elastic Charging Engine product of Oracle Communications Applications (component: Customer, Config, Pricing Manager). Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity.

Elastic Oracle Authentication Bypass +3
NVD
EPSS 1% CVSS 4.2
MEDIUM PATCH This Month

efs-utils is a set of Utilities for Amazon Elastic File System (EFS). Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Race Condition Information Disclosure Elastic +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

HCL Commerce, when using Elasticsearch, can allow a remote attacker to cause a denial of service attack on the site and make administrative changes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Hcl Commerce
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Java Elastic +1
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Elastic Opensearch
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A Zip slip vulnerability in the Elasticsearch Connector in Liferay Portal 7.3.3 through 7.4.3.18, and Liferay DXP 7.3 before update 6, and 7.4 before update 19 allows attackers to create or overwrite. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Elastic Digital Experience Platform +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search Integration). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Oracle XSS Elastic +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

An issue in the Elasticsearch plugin of Appsmith v1.7.11 allows attackers to connect disallowed hosts to the AWS/GCP internal metadata endpoint. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Elastic Appsmith
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Elastic Elastic Cloud Enterprise
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Elastic Opensearch
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

In BIG-IP Versions 16.1.x before 16.1.3.1 and 15.1.x before 15.1.6.1, and all versions of BIG-IQ 8.x, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Elastic Big Ip Access Policy Manager +11
NVD
EPSS 0% CVSS 7.8
HIGH This Week

A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Microsoft Elastic +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XSS Kibana
NVD
EPSS 2% CVSS 8.8
HIGH POC PATCH This Week

opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization Elastic Opensearch
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM This Month

Jenkins Elasticsearch Query Plugin 1.2 and earlier stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Elastic Jenkins +1
NVD
EPSS 7% CVSS 7.5
HIGH PATCH This Week

A Denial of Service flaw was discovered in Elasticsearch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Elasticsearch
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Kibana
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Elasticsearch
NVD
EPSS 0% CVSS 2.7
LOW PATCH Monitor

It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic IBM Atlassian +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Microsoft Privilege Escalation +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure Enterprise Search
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Enterprise Search
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Elasticsearch
NVD
EPSS 1% CVSS 7.5
HIGH This Week

On BIG-IP versions 15.1.0.4 through 15.1.3, when the Data Plane Development Kit (DPDK)/Elastic Network Adapter (ENA) driver is used with BIG-IP on Amazon Web Services (AWS) systems, undisclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Big Ip Access Policy Manager +10
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Elastic Denial Of Service Elasticsearch +1
NVD
EPSS 28% CVSS 7.5
HIGH POC THREAT This Week

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD Exploit-DB
EPSS 76% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Elastic Information Disclosure Elasticsearch +1
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.8
HIGH POC This Week

Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Redis Elastic Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic XXE Elastic App Search
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Denial Of Service Kibana
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
EPSS 0% CVSS 3.5
LOW Monitor

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Kibana
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Elasticsearch
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

Elastic SSRF Open Distro
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

On all 7.x and 6.x versions (fixed in 8.0.0), BIG-IQ HA ElasticSearch service does not implement any form of authentication for the clustering transport services, and all data used by ElasticSearch. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Big Iq Centralized Management
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Elastic Information Disclosure Elasticsearch +1
NVD
EPSS 1% CVSS 2.4
LOW PATCH Monitor

The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Rated low severity (CVSS 2.4), this vulnerability is low attack complexity. No vendor patch available.

Elastic Information Disclosure Apm Agent
NVD
EPSS 3% CVSS 7.5
HIGH This Week

A vulnerability in the system resource management of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) to the health monitor. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Elastic Denial Of Service +1
NVD
EPSS 2% CVSS 8.1
HIGH This Week

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Elastic Search). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Elastic Oracle Information Disclosure +1
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Elastic Information Disclosure Elasticsearch +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Kibana +1
NVD
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

Grafana before 7.1.0-beta 1 allows XSS via a query alias for the ElasticSearch datasource. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Elastic Grafana
NVD GitHub
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy