VYPR

Vendor CVEs

Elastic

All CVEs

258 total · sorted by risk
  • CVE-2022-23714Jul 6, 2022
    risk 0.00cvss epss 0.00

    A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

  • CVE-2022-23713Jul 6, 2022
    risk 0.00cvss epss 0.01

    A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.

  • CVE-2022-23712Jun 6, 2022
    risk 0.00cvss epss 0.07

    A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

  • CVE-2022-23711Apr 21, 2022
    risk 0.00cvss epss 0.01

    A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a…

  • CVE-2022-23710Mar 3, 2022
    risk 0.00cvss epss 0.01

    A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.

  • CVE-2022-23709Mar 3, 2022
    risk 0.00cvss epss 0.01

    A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a…

  • CVE-2022-23708Mar 3, 2022
    risk 0.00cvss epss 0.01

    A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.

  • CVE-2022-23707Feb 11, 2022
    risk 0.00cvss epss 0.01

    An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users

  • CVE-2021-37941Dec 8, 2021
    risk 0.00cvss epss 0.00

    A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a…

  • CVE-2021-37940Dec 7, 2021
    risk 0.00cvss epss 0.01

    An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might…

  • CVE-2021-37939Nov 18, 2021
    risk 0.00cvss epss 0.00

    It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could…

  • CVE-2021-37938Nov 18, 2021
    risk 0.00cvss epss 0.01

    It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks…

  • CVE-2021-22148Sep 15, 2021
    risk 0.00cvss epss 0.01

    Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.

  • CVE-2021-22149Sep 15, 2021
    risk 0.00cvss epss 0.01

    Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.

  • CVE-2021-22147Sep 15, 2021
    risk 0.00cvss epss 0.01

    Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

  • CVE-2021-22140May 13, 2021
    risk 0.00cvss epss 0.01

    Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse…

  • CVE-2021-22139May 13, 2021
    risk 0.00cvss epss 0.01

    Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana…

  • CVE-2021-22138May 13, 2021
    risk 0.00cvss epss 0.00

    In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could…

  • CVE-2021-22137May 13, 2021
    risk 0.00cvss epss 0.01

    In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the…

  • CVE-2021-22136May 13, 2021
    risk 0.00cvss epss 0.00

    In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions,…

  • CVE-2021-22135May 13, 2021
    risk 0.00cvss epss 0.01

    Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level…

  • CVE-2021-22134Mar 8, 2021
    risk 0.00cvss epss 0.01

    A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents…

  • CVE-2020-7021Feb 10, 2021
    risk 0.00cvss epss 0.01

    Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow…

  • CVE-2021-22133Feb 10, 2021
    risk 0.00cvss epss 0.01

    The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an…

  • CVE-2021-22132Jan 14, 2021
    risk 0.00cvss epss 0.01

    Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers…

  • CVE-2020-27816Dec 2, 2020
    risk 0.00cvss epss 0.01

    The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource.…

  • CVE-2020-7020Oct 22, 2020
    risk 0.00cvss epss 0.01

    Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the…

  • CVE-2020-7018Aug 18, 2020
    risk 0.00cvss epss 0.01

    Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct…

  • CVE-2020-7019Aug 18, 2020
    risk 0.00cvss epss 0.01

    In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could…

  • CVE-2020-7017Jul 27, 2020
    risk 0.00cvss epss 0.01

    In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the…

  • CVE-2020-7016Jul 27, 2020
    risk 0.00cvss epss 0.01

    Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

  • CVE-2020-7014Jun 3, 2020
    risk 0.00cvss epss 0.02

    The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an…

  • CVE-2020-7013Jun 3, 2020
    risk 0.00cvss epss 0.02

    Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code…

  • CVE-2020-7015Jun 3, 2020
    risk 0.00cvss epss 0.01

    Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users…

  • CVE-2020-7011Jun 3, 2020
    risk 0.00cvss epss 0.01

    Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of…

  • CVE-2020-7010Jun 3, 2020
    risk 0.00cvss epss 0.01

    Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials…

  • CVE-2020-7009Mar 31, 2020
    risk 0.00cvss epss 0.02

    Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with…

  • CVE-2019-7621Dec 18, 2019
    risk 0.00cvss epss 0.01

    Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that…

  • CVE-2019-7620Oct 30, 2019
    risk 0.00cvss epss 0.02

    Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop…

  • CVE-2019-7619Oct 30, 2019
    risk 0.00cvss epss 0.02

    Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

  • CVE-2019-7618Oct 1, 2019
    risk 0.00cvss epss 0.01

    A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana…

  • CVE-2019-7617Aug 22, 2019
    risk 0.00cvss epss 0.02

    When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

  • CVE-2019-7615Jul 30, 2019
    risk 0.00cvss epss 0.01

    A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could…

  • CVE-2019-7616Jul 30, 2019
    risk 0.00cvss epss 0.02

    Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could…

  • CVE-2019-7614Jul 30, 2019
    risk 0.00cvss epss 0.01

    A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from…

  • CVE-2019-7613Mar 25, 2019
    risk 0.00cvss epss 0.01

    Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.

  • CVE-2019-7612Mar 25, 2019
    risk 0.00cvss epss 0.02

    A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.

  • CVE-2019-7608Mar 25, 2019
    risk 0.00cvss epss 0.01

    Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

  • CVE-2019-7611Mar 25, 2019
    risk 0.00cvss epss 0.02

    A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to…

  • CVE-2019-7610Mar 25, 2019
    risk 0.00cvss epss 0.04

    Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly…

Page 5 of 6