Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elasticsearch elasticsearch vulnerabilities and exploits
(subscribe to this query)
5.3
CVSSv3
CVE-2017-8446
The Reporting feature in X-Pack in versions before 5.5.2 and standalone Reporting plugin versions versions before 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining ...
Elasticsearch X-pack
Elasticsearch X-pack Reporting
5.9
CVSSv3
CVE-2017-8444
The client-forwarder in Elastic Cloud Enterprise versions before 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.
Elasticsearch Cloud Enterprise 1.0.1
Elasticsearch Cloud Enterprise 1.0.0
5.9
CVSSv3
CVE-2019-7614
A race condition flaw was found in the response headers Elasticsearch versions prior to 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an malicious user to gain access to response header containing sensitive dat...
Elastic Elasticsearch
6.5
CVSSv3
CVE-2018-17244
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated...
Elastic Elasticsearch
7.5
CVSSv3
CVE-2023-46673
It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
Elastic Elasticsearch
5.3
CVSSv3
CVE-2019-7619
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Elastic Elasticsearch
7.5
CVSSv3
CVE-2017-11480
Packetbeat versions before 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from p...
Elasticsearch Packetbeat
3.1
CVSSv3
CVE-2020-7020
Elasticsearch versions prior to 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the e...
Elastic Elasticsearch
9.8
CVSSv3
CVE-2015-5377
Elasticsearch prior to 1.6.1 allows remote malicious users to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
Elastic Elasticsearch
4 Github repositories
8.8
CVSSv3
CVE-2020-7009
Elasticsearch versions from 6.7.0 prior to 6.8.8 and 7.0.0 prior to 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with ele...
Elastic Elasticsearch
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7073
CVE-2024-5496
CVE-2024-5495
XPath injection
bypass
CVE-2024-30043
CVE-2024-24919
denial of service
CVE-2024-35468
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »