Maven package
org.elasticsearch/elasticsearch
pkg:maven/org.elasticsearch/elasticsearch
Vulnerabilities (44)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-22147 | — | >= 7.11.0, < 7.14.0 | 7.14.0 | Sep 15, 2021 | Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. | ||
| CVE-2021-22144 | — | < 6.8.17 | 6.8.17 | Jul 26, 2021 | In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious | ||
| CVE-2021-22137 | — | >= 7.11.0, < 7.11.2 | 7.11.2 | May 13, 2021 | In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search | ||
| CVE-2021-22135 | — | >= 7.0.0, < 7.11.2 | 7.11.2 | May 13, 2021 | Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level sec | ||
| CVE-2021-22134 | — | >= 7.6.0, < 7.11.0 | 7.11.0 | Mar 8, 2021 | A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents t | ||
| CVE-2020-7021 | — | < 6.8.14 | 6.8.14 | Feb 10, 2021 | Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow | ||
| CVE-2021-22132 | — | >= 7.7.0, < 7.10.2 | 7.10.2 | Jan 14, 2021 | Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers | ||
| CVE-2020-7020 | — | < 6.8.13 | 6.8.13 | Oct 22, 2020 | Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the exi | ||
| CVE-2020-7019 | — | >= 7.0.0, < 7.9.0 | 7.9.0 | Aug 18, 2020 | In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could re | ||
| CVE-2020-7014 | — | >= 6.7.0, < 6.8.8 | 6.8.8 | Jun 3, 2020 | The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an | ||
| CVE-2020-7009 | — | >= 6.7.0, < 6.8.8 | 6.8.8 | Mar 31, 2020 | Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevate | ||
| CVE-2019-7619 | — | >= 6.7.0, < 6.8.4 | 6.8.4 | Oct 30, 2019 | Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm. | ||
| CVE-2019-7614 | — | < 6.8.2 | 6.8.2 | Jul 30, 2019 | A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from a | ||
| CVE-2019-7611 | — | < 5.6.15 | 5.6.15 | Mar 25, 2019 | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to fals | ||
| CVE-2018-17247 | — | >= 6.5.0, < 6.5.2 | 6.5.2 | Dec 20, 2018 | Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable | ||
| CVE-2018-17244 | — | >= 6.4.0, < 6.4.3 | 6.4.3 | Dec 20, 2018 | Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated | ||
| CVE-2018-3831 | — | >= 5.6.0, < 5.6.12 | 5.6.12 | Sep 19, 2018 | Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, | ||
| CVE-2018-3824 | — | < 5.6.9 | 5.6.9 | Sep 19, 2018 | X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to | ||
| CVE-2015-4165 | Hig | 7.5 | < 1.6.0 | 1.6.0 | Aug 9, 2017 | The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application | |
| CVE-2015-5531 | — | < 1.6.1 | 1.6.1 | Aug 17, 2015 | Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. |
- CVE-2021-22147Sep 15, 2021affected >= 7.11.0, < 7.14.0fixed 7.14.0
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
- CVE-2021-22144Jul 26, 2021affected < 6.8.17fixed 6.8.17
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious
- CVE-2021-22137May 13, 2021affected >= 7.11.0, < 7.11.2fixed 7.11.2
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search
- CVE-2021-22135May 13, 2021affected >= 7.0.0, < 7.11.2fixed 7.11.2
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level sec
- CVE-2021-22134Mar 8, 2021affected >= 7.6.0, < 7.11.0fixed 7.11.0
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents t
- CVE-2020-7021Feb 10, 2021affected < 6.8.14fixed 6.8.14
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow
- CVE-2021-22132Jan 14, 2021affected >= 7.7.0, < 7.10.2fixed 7.10.2
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers
- CVE-2020-7020Oct 22, 2020affected < 6.8.13fixed 6.8.13
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the exi
- CVE-2020-7019Aug 18, 2020affected >= 7.0.0, < 7.9.0fixed 7.9.0
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could re
- CVE-2020-7014Jun 3, 2020affected >= 6.7.0, < 6.8.8fixed 6.8.8
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an
- CVE-2020-7009Mar 31, 2020affected >= 6.7.0, < 6.8.8fixed 6.8.8
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevate
- CVE-2019-7619Oct 30, 2019affected >= 6.7.0, < 6.8.4fixed 6.8.4
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
- CVE-2019-7614Jul 30, 2019affected < 6.8.2fixed 6.8.2
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from a
- CVE-2019-7611Mar 25, 2019affected < 5.6.15fixed 5.6.15
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to fals
- CVE-2018-17247Dec 20, 2018affected >= 6.5.0, < 6.5.2fixed 6.5.2
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable
- CVE-2018-17244Dec 20, 2018affected >= 6.4.0, < 6.4.3fixed 6.4.3
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated
- CVE-2018-3831Sep 19, 2018affected >= 5.6.0, < 5.6.12fixed 5.6.12
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens,
- CVE-2018-3824Sep 19, 2018affected < 5.6.9fixed 5.6.9
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to
- affected < 1.6.0fixed 1.6.0
The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application
- CVE-2015-5531Aug 17, 2015affected < 1.6.1fixed 1.6.1
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Page 2 of 3