Vendor CVEs
Elastic
All CVEs
258 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-17245 | 0.00 | — | 0.01 | Dec 20, 2018 | Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an… | |||
| CVE-2018-17247 | 0.00 | — | 0.01 | Dec 20, 2018 | Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable… | |||
| CVE-2018-17244 | 0.00 | — | 0.01 | Dec 20, 2018 | Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being… | |||
| CVE-2015-8131 | 0.00 | — | 0.01 | Dec 7, 2015 | Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||
| CVE-2015-4152 | 0.00 | — | 0.03 | Jun 15, 2015 | Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option. | |||
| CVE-2015-4093 | 0.00 | — | 0.02 | Jun 15, 2015 | Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2014-6439 | 0.00 | — | 0.02 | Oct 10, 2014 | Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||
| CVE-2014-4326 | 0.00 | — | 0.03 | Jul 22, 2014 | Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. |
- CVE-2018-17245Dec 20, 2018risk 0.00cvss —epss 0.01
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an…
- CVE-2018-17247Dec 20, 2018risk 0.00cvss —epss 0.01
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable…
- CVE-2018-17244Dec 20, 2018risk 0.00cvss —epss 0.01
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being…
- CVE-2015-8131Dec 7, 2015risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
- CVE-2015-4152Jun 15, 2015risk 0.00cvss —epss 0.03
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option.
- CVE-2015-4093Jun 15, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2014-6439Oct 10, 2014risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- CVE-2014-4326Jul 22, 2014risk 0.00cvss —epss 0.03
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.
Page 6 of 6