Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elasticsearch elasticsearch vulnerabilities and exploits
(subscribe to this query)
4.3
CVSSv2
CVE-2018-3827
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
Elastic Azure Repository
Elastic Azure Repository 6.0.0
4.3
CVSSv2
CVE-2018-3825
In Elastic Cloud Enterprise (ECE) versions before 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can conn...
Elastic Elastic Cloud Enterprise
4.3
CVSSv2
CVE-2017-8444
The client-forwarder in Elastic Cloud Enterprise versions before 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.
Elasticsearch Cloud Enterprise 1.0.1
Elasticsearch Cloud Enterprise 1.0.0
4.3
CVSSv2
CVE-2017-11479
Kibana versions before 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an malicious user to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
Elasticsearch Kibana 5.1.0
Elastic Kibana 5.0.1
Elastic Kibana 5.0.2
Elastic Kibana 5.1.1
Elastic Kibana 5.1.2
Elastic Kibana 5.2.0
Elastic Kibana 5.2.1
Elastic Kibana 5.2.2
Elastic Kibana 5.3.0
Elastic Kibana 5.3.1
Elastic Kibana 5.3.2
Elastic Kibana 5.3.3
Elastic Kibana 5.4.0
Elastic Kibana 5.4.1
Elastic Kibana 5.4.2
Elastic Kibana 5.4.3
Elastic Kibana 5.5.0
Elastic Kibana 5.5.1
Elastic Kibana 5.5.2
Elastic Kibana 5.5.3
Elastic Kibana 5.6.0
Elastic Kibana 5.0.0
4.3
CVSSv2
CVE-2015-5619
Logstash 1.4.x prior to 1.4.5 and 1.5.x prior to 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow malicious users to obtain sensitive information via a man-in-the-middle attack.
Elasticsearch Logstash 1.5.3
Elasticsearch Logstash 1.4.4
Elasticsearch Logstash 1.5.1
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.5.0
Elasticsearch Logstash 1.5.2
Elastic Logstash 1.4.1
Elastic Logstash 1.4.2
Elastic Logstash 1.4.0
4.3
CVSSv2
CVE-2015-3337
Directory traversal vulnerability in Elasticsearch prior to 1.4.5 and 1.5.x prior to 1.5.2, when a site plugin is enabled, allows remote malicious users to read arbitrary files via unspecified vectors.
Elasticsearch Elasticsearch 1.5.0
Elasticsearch Elasticsearch
Elasticsearch Elasticsearch 1.5.1
1 EDB exploit
2 Github repositories
4.3
CVSSv2
CVE-2014-6439
Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch prior to 1.4.0.Beta1 allows remote malicious users to inject arbitrary web script or HTML via unspecified vectors.
Elasticsearch Elasticsearch
4
CVSSv2
CVE-2022-34807
Jenkins Elasticsearch Query Plugin 1.2 and previous versions stores a password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Jenkins Elasticsearch Query
4
CVSSv2
CVE-2022-23708
A flaw exists in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
Elastic Elasticsearch
4
CVSSv2
CVE-2021-22147
Elasticsearch prior to 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Elastic Elasticsearch
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27802
template injection
CVE-2024-0044
code injection
CVE-2024-35474
CVE-2024-27857
CVE-2024-23251
CVE-2024-23692
physical
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
10
NEXT »