Cloud Enterprise
by Elastic
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-3828 | Hig | 0.49 | 7.5 | 0.01 | Sep 19, 2018 | Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An… | ||
| CVE-2018-3825 | Med | 0.38 | 5.9 | 0.01 | Sep 19, 2018 | In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can… | ||
| CVE-2017-8444 | Med | 0.38 | 5.9 | 0.01 | Sep 29, 2017 | The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data. | ||
| CVE-2018-3829 | Med | 0.35 | 5.3 | 0.01 | Sep 19, 2018 | In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an… | ||
| CVE-2021-22146 | 0.05 | — | 0.28 | Jul 21, 2021 | All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage… | |||
| CVE-2025-37736 | 0.00 | — | 0.00 | Nov 7, 2025 | Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts… | |||
| CVE-2025-37729 | 0.00 | — | 0.01 | Oct 13, 2025 | Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated. | |||
| CVE-2024-37282 | 0.00 | — | 0.01 | Jun 28, 2024 | It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. | |||
| CVE-2023-32764 | 0.00 | — | 0.00 | Aug 3, 2023 | Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator. | |||
| CVE-2022-23716 | 0.00 | — | 0.01 | Sep 28, 2022 | A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster. | |||
| CVE-2022-29908 | 0.00 | — | 0.00 | Sep 19, 2022 | The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation. | |||
| CVE-2022-23715 | 0.00 | — | 0.01 | Aug 25, 2022 | A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are… |
- risk 0.49cvss 7.5epss 0.01
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An…
- risk 0.38cvss 5.9epss 0.01
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can…
- risk 0.38cvss 5.9epss 0.01
The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.
- risk 0.35cvss 5.3epss 0.01
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an…
- CVE-2021-22146Jul 21, 2021risk 0.05cvss —epss 0.28
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage…
- CVE-2025-37736Nov 7, 2025risk 0.00cvss —epss 0.00
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts…
- CVE-2025-37729Oct 13, 2025risk 0.00cvss —epss 0.01
Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
- CVE-2024-37282Jun 28, 2024risk 0.00cvss —epss 0.01
It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
- CVE-2023-32764Aug 3, 2023risk 0.00cvss —epss 0.00
Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to escalate their privileges to local administrator.
- CVE-2022-23716Sep 28, 2022risk 0.00cvss —epss 0.01
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster.
- CVE-2022-29908Sep 19, 2022risk 0.00cvss —epss 0.00
The folioupdate service in Fabasoft Cloud Enterprise Client 22.4.0043 allows Local Privilege Escalation.
- CVE-2022-23715Aug 25, 2022risk 0.00cvss —epss 0.01
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are…