Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elastic elasticsearch vulnerabilities and exploits
(subscribe to this query)
356
VMScore
CVE-2018-3826
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Elastic Elasticsearch
Elastic Elasticsearch 6.0.0
383
VMScore
CVE-2018-17247
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted reques...
Elastic Elasticsearch 6.5.1
Elastic Elasticsearch 6.5.0
383
VMScore
CVE-2015-5619
Logstash 1.4.x prior to 1.4.5 and 1.5.x prior to 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow malicious users to obtain sensitive information via a man-in-the-middle attack.
Elastic Logstash 1.4.0
Elastic Logstash 1.4.2
Elasticsearch Logstash 1.5.0
Elasticsearch Logstash 1.5.1
Elastic Logstash 1.4.1
Elasticsearch Logstash 1.5.2
Elasticsearch Logstash 1.5.3
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.4.4
445
VMScore
CVE-2015-5378
Logstash 1.5.x prior to 1.5.3 and 1.4.x prior to 1.4.4 allows remote malicious users to read communications between Logstash Forwarder agent and Logstash server.
Elasticsearch Logstash 1.5.1
Elastic Logstash 1.4.1
Elastic Logstash 1.4.2
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.5.2
Elasticsearch Logstash 1.5.0
Elastic Logstash 1.4.0
357
VMScore
CVE-2022-23708
A flaw exists in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
Elastic Elasticsearch
446
VMScore
CVE-2022-23712
A Denial of Service flaw exists in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Elastic Elasticsearch
NA
CVE-2021-37937
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server s...
Elastic Elasticsearch
NA
CVE-2023-46673
It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
Elastic Elasticsearch
NA
CVE-2023-46674
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
Elastic Elasticsearch
356
VMScore
CVE-2018-17244
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated...
Elastic Elasticsearch
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-33228
CVE-2024-20361
log injection
bypass
CVE-2024-4985
CVE-2024-35223
CVE-2024-29849
CVE-2024-31893
IMAP
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
6
NEXT »