Skip to main content

X Pack

10 CVEs product

Monthly

CVE-2018-3822 CRITICAL Act Now

X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2017-8448 HIGH This Week

An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
CVSS 3.0
8.8
EPSS
0.3%
CVE-2017-8447 MEDIUM This Month

An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-8446 Maven MEDIUM PATCH This Month

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Information Disclosure X Pack X Pack Reporting
NVD
CVSS 3.0
5.3
EPSS
0.1%
CVE-2017-8445 MEDIUM This Month

An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure X Pack
NVD
CVSS 3.0
5.5
EPSS
0.0%
CVE-2017-8442 MEDIUM This Month

Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
CVSS 3.0
6.5
EPSS
0.4%
CVE-2017-8450 HIGH This Week

X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure X Pack
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2017-8449 MEDIUM This Month

X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure X Pack
NVD
CVSS 3.0
5.9
EPSS
0.3%
CVE-2017-8441 MEDIUM This Month

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-8438 HIGH PATCH This Week

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation X Pack
NVD
CVSS 3.0
8.8
EPSS
0.4%
EPSS 2% CVSS 9.8
CRITICAL Act Now

X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass X Pack
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Insufficiently Protected Credentials vulnerability could allow attackers to obtain user credentials due to weak protection mechanisms.

Information Disclosure X Pack X Pack Reporting
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure X Pack
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
EPSS 0% CVSS 7.5
HIGH This Week

X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure X Pack
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure X Pack
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Elastic Information Disclosure X Pack
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Elastic Privilege Escalation +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy