Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elastic elasticsearch vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv3
CVE-2023-31419
A flaw exists in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.
Elastic Elasticsearch
2 Github repositories
8.1
CVSSv3
CVE-2019-7611
A permission issue was found in Elasticsearch versions prior to 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to fa...
Elastic Elasticsearch
8.8
CVSSv3
CVE-2021-37937
An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server s...
Elastic Elasticsearch
5.3
CVSSv3
CVE-2021-22135
Elasticsearch versions prior to 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level s...
Elastic Elasticsearch
5.3
CVSSv3
CVE-2021-22137
In Elasticsearch versions prior to 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the sear...
Elastic Elasticsearch
6.5
CVSSv3
CVE-2021-22147
Elasticsearch prior to 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Elastic Elasticsearch
7.5
CVSSv3
CVE-2021-22146
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could le...
Elastic Elasticsearch 7.13.3
1 Github repository
5.4
CVSSv3
CVE-2018-3823
X-Pack Machine Learning versions prior to 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the malicious user to obtain sensitive informatio...
Elastic Elasticsearch X-pack
Elastic Kibana X-pack
Elastic Logstash X-pack
6.1
CVSSv3
CVE-2018-3824
X-Pack Machine Learning versions prior to 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the malicious ...
Elastic Elasticsearch X-pack
Elastic Kibana X-pack
Elastic Logstash X-pack
4.8
CVSSv3
CVE-2021-22132
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers ...
Elastic Elasticsearch
Oracle Communications Cloud Native Core Automated Test Suite 1.8.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7073
CVE-2024-5496
CVE-2024-5495
XPath injection
bypass
CVE-2024-30043
CVE-2024-24919
denial of service
CVE-2024-35468
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
NEXT »