Skip to main content

Elastic

321 CVEs vendor

Monthly

CVE-2016-1000220 MEDIUM This Month

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-1000219 HIGH This Week

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2016-1000218 HIGH This Week

Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Elastic Kibana Reporting
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2015-9056 MEDIUM This Month

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-6697 MEDIUM This Month

A vulnerability in the web interface of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive system credentials that are stored in an affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-6696 MEDIUM This Month

A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-6693 MEDIUM This Month

A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Cisco Authentication Bypass Elastic Elastic Services Controller
NVD
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-6691 MEDIUM This Month

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-6689 HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
0.8%
CVE-2017-6688 HIGH This Week

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-6684 HIGH This Week

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-6683 HIGH This Week

A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection Elastic Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
9.5%
CVE-2017-6682 HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection Elastic Elastic Services Controller
NVD
CVSS 3.0
8.8
EPSS
1.0%
CVE-2017-4959 HIGH This Week

An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
8.8
EPSS
0.5%
CVE-2017-4955 CRITICAL Act Now

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.65, 1.7.x versions prior to 1.7.48, 1.8.x versions prior to 1.8.28, and 1.9.x versions prior to 1.9.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-2773 CRITICAL Act Now

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2017-8441 MEDIUM This Month

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-8440 MEDIUM This Month

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8439 MEDIUM This Month

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-8438 HIGH PATCH This Week

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation X Pack
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2016-3084 Maven HIGH PATCH This Week

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Elastic Cloud Foundry Uaa Bosh Cloud Foundry Cloud Foundry Elastic Runtime +2
NVD
CVSS 3.0
8.1
EPSS
0.3%
CVE-2016-2165 MEDIUM This Month

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cf Release Cloud Foundry Elastic Runtime
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2016-0781 MEDIUM This Month

The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java Elastic Cloud Foundry Uaa Bosh Cloud Foundry +3
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-0780 HIGH This Week

It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Cf Release Cloud Foundry Elastic Runtime
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2016-0761 CRITICAL Act Now

Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Elastic Information Disclosure Garden Linux Cloud Foundry Elastic Runtime
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2015-1834 MEDIUM This Month

A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Elastic Cf Release Cloud Foundry Elastic Runtime
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2016-5016 Maven MEDIUM PATCH This Month

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Elastic Information Disclosure Cloud Foundry Cloud Foundry Elastic Runtime Cloud Foundry Uaa +1
NVD GitHub
CVSS 3.0
5.9
EPSS
0.3%
CVE-2016-4468 HIGH PATCH This Week

SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Elastic Cloud Foundry Uaa Bosh Cloud Foundry Cloud Foundry Elastic Runtime +2
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2016-6657 HIGH This Week

An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Ops Manager Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
7.4
EPSS
0.2%
CVE-2016-6651 HIGH This Week

The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Privilege Escalation Cloud Foundry Uaa Bosh Cloud Foundry Cloud Foundry Elastic Runtime +2
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2016-6637 Maven CRITICAL PATCH Act Now

Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Elastic CSRF Cloud Foundry Uaa Bosh Cloud Foundry Cloud Foundry Elastic Runtime +2
NVD
CVSS 3.0
9.6
EPSS
0.1%
CVE-2016-6636 MEDIUM This Month

The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5;. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Uaa Bosh Cloud Foundry Cloud Foundry Elastic Runtime +2
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2016-6639 HIGH PATCH This Week

Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Elastic PHP Information Disclosure Php Buildpack Cloud Foundry Elastic Runtime
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2016-0928 HIGH This Week

Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.30 and 1.7.x before 1.7.8 allow remote attackers to redirect users to arbitrary web sites and conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
7.4
EPSS
0.2%
CVE-2016-0926 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-0896 HIGH This Week

Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Cloud Foundry Elastic Runtime
NVD
CVSS 3.0
7.3
EPSS
0.1%
CVE-2016-0635 HIGH PATCH This Week

Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Java Oracle Documaker +10
NVD
CVSS 3.0
8.8
EPSS
5.0%
CVE-2016-0392 HIGH This Week

IBM General Parallel File System (GPFS) in GPFS Storage Server 2.0.0 through 2.0.7 and Elastic Storage Server 2.5.x through 2.5.5, 3.x before 3.5.5, and 4.x before 4.0.3, as distributed in Spectrum. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Elastic Authentication Bypass Elastic Storage Server General Parallel File System Storage Server
NVD
CVSS 3.0
8.4
EPSS
0.1%
CVE-2015-8131 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Elastic CSRF Kibana
NVD
CVSS 2.0
6.8
EPSS
0.2%
CVE-2015-5531 Maven MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.0%.

Path Traversal Elastic Elasticsearch
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
92.0%
Threat
5.3
CVE-2015-4152 MEDIUM This Month

Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Elastic Logstash
NVD
CVSS 2.0
6.4
EPSS
0.6%
CVE-2015-4093 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2015-3337 Maven MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Path Traversal Elastic Elasticsearch
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
91.1%
Threat
5.1
CVE-2015-1427 Maven CRITICAL POC KEV PATCH THREAT Act Now

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Authentication Bypass Elastic
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
92.3%
Threat
7.7
CVE-2014-6439 Maven MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Elastic Elasticsearch
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2014-3120 Maven HIGH POC KEV PATCH THREAT Act Now

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Authentication Bypass Elastic
NVD Exploit-DB VulDB
CVSS 3.1
8.1
EPSS
82.6%
Threat
7.1
CVE-2014-4326 Ruby HIGH PATCH This Week

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Elastic Zabbix Logstash
NVD
CVSS 2.0
7.5
EPSS
0.9%
CVE-2013-4758 MEDIUM PATCH This Month

Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service Elastic RCE Rsyslog
NVD
CVSS 2.0
6.8
EPSS
1.2%
CVE-2012-5483 LOW Monitor

tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Elastic Keystone
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2012-5571 PyPI MEDIUM PATCH This Month

A flaw was found in OpenStack Keystone. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Elastic Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.2%
CVE-2012-5781 MEDIUM POC This Month

Amazon Elastic Load Balancing API Tools does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elastic Load Balancing
NVD
CVSS 2.0
5.8
EPSS
0.1%
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Elastic Kibana
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Elastic Kibana Reporting
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the web interface of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive system credentials that are stored in an affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability in the file system of Cisco Elastic Services Controllers could allow an authenticated, local attacker to gain access to sensitive user credentials that are stored in an affected. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

A vulnerability in the ConfD server component of Cisco Elastic Services Controllers could allow an authenticated, local attacker to access information stored in the file system of an affected system,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Cisco Authentication Bypass Elastic +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to access sensitive information on an affected system. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the admin user, aka an Insecure Default. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux root user, aka an Insecure Default Password. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Elastic Information Disclosure +1
NVD
EPSS 9% CVSS 8.8
HIGH This Week

A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Tomcat Cisco Command Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions prior to 1.8.29 and 1.9.x versions prior to 1.9.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Elastic Cloud Foundry Elastic Runtime
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.65, 1.7.x versions prior to 1.7.48, 1.8.x versions prior to 1.8.28, and 1.9.x versions prior to 1.9.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cloud Foundry Elastic Runtime
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions prior to 1.6.60, 1.7.x versions prior to 1.7.41, 1.8.x versions prior to 1.8.23, and 1.9.x versions prior to 1.9.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cloud Foundry Elastic Runtime
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

The UAA reset password flow in Cloud Foundry release v236 and earlier versions, UAA release v3.3.0 and earlier versions, all versions of Login-server, UAA release v10 and earlier versions and Pivotal. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Privilege Escalation Elastic Cloud Foundry Uaa Bosh +4
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Loggregator Traffic Controller endpoints in cf-release v231 and lower, Pivotal Elastic Runtime versions prior to 1.5.19 AND 1.6.x versions prior to 1.6.20 are not cleansing request URL paths when. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Information Disclosure Cf Release +1
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The UAA OAuth approval pages in Cloud Foundry v208 to v231, Login-server v1.6 to v1.14, UAA v2.0.0 to v2.7.4.1, UAA v3.0.0 to v3.2.0, UAA-Release v2 to v7 and Pivotal Elastic Runtime 1.6.x versions. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Java Elastic +5
NVD
EPSS 0% CVSS 7.5
HIGH This Week

It was discovered that cf-release v231 and lower, Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 and Pivotal Cloud Foundry Elastic Runtime 1.6.x versions prior to 1.6.18 do not. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Elastic Cf Release +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Cloud Foundry Garden-Linux versions prior to v0.333.0 and Elastic Runtime 1.6.x version prior to 1.6.17 contain a flaw in managing container files during Docker image preparation that could be used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Docker Elastic Information Disclosure +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A path traversal vulnerability was identified in the Cloud Foundry component Cloud Controller that affects cf-release versions prior to v208 and Pivotal Cloud Foundry Elastic Runtime versions prior. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Elastic Cf Release +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Elastic Information Disclosure Cloud Foundry +3
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi Elastic Cloud Foundry Uaa Bosh +4
NVD
EPSS 0% CVSS 7.4
HIGH This Week

An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Ops Manager +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before 243; UAA 2.x before 2.7.4.8, 3.x before 3.3.0.6, and 3.4.x before 3.4.5; UAA BOSH before 11.7 and 12.x before 12.6; Elastic Runtime. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Privilege Escalation Cloud Foundry Uaa Bosh +4
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Elastic CSRF Cloud Foundry Uaa Bosh +4
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The OAuth authorization implementation in Pivotal Cloud Foundry (PCF) before 242; UAA 2.x before 2.7.4.7, 3.x before 3.3.0.5, and 3.4.x before 3.4.4; UAA BOSH before 11.5 and 12.x before 12.5;. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Uaa Bosh +4
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Elastic PHP Information Disclosure +2
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.30 and 1.7.x before 1.7.8 allow remote attackers to redirect users to arbitrary web sites and conduct. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Open Redirect Cloud Foundry Elastic Runtime
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Elastic Cloud Foundry Elastic Runtime
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Elastic Authentication Bypass Cloud Foundry Elastic Runtime
NVD
EPSS 5% CVSS 8.8
HIGH PATCH This Week

Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Elastic Information Disclosure Java +12
NVD
EPSS 0% CVSS 8.4
HIGH This Week

IBM General Parallel File System (GPFS) in GPFS Storage Server 2.0.0 through 2.0.7 and Elastic Storage Server 2.5.x through 2.5.5, 3.x before 3.5.5, and 4.x before 4.0.3, as distributed in Spectrum. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

IBM Elastic Authentication Bypass +2
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Elastic CSRF Kibana
NVD
EPSS 92% 5.3 CVSS 5.0
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 92.0%.

Path Traversal Elastic Elasticsearch
NVD Exploit-DB
EPSS 1% CVSS 6.4
MEDIUM This Month

Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Elastic Logstash
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Elastic Kibana
NVD
EPSS 91% 5.1 CVSS 4.3
MEDIUM POC PATCH THREAT This Month

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 91.1%.

Path Traversal Elastic Elasticsearch
NVD Exploit-DB
EPSS 92% 7.7 CVSS 9.8
CRITICAL POC KEV PATCH THREAT Act Now

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Authentication Bypass Elastic
NVD Exploit-DB VulDB
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Elastic Elasticsearch
NVD
EPSS 83% 7.1 CVSS 8.1
HIGH POC KEV PATCH THREAT Act Now

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Java Authentication Bypass Elastic
NVD Exploit-DB VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Elastic Zabbix +1
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Double free vulnerability in the writeDataError function in the ElasticSearch plugin (omelasticsearch) in rsyslog before 7.4.2 and before 7.5.2 devel, when errorfile is set to local logging, allows. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Denial Of Service Elastic RCE +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Elastic Keystone
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A flaw was found in OpenStack Keystone. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Elastic Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM POC This Month

Amazon Elastic Load Balancing API Tools does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Elastic Information Disclosure Elastic Load Balancing
NVD
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy