Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elastic elasticsearch vulnerabilities and exploits
(subscribe to this query)
5.9
CVSSv3
CVE-2018-3825
In Elastic Cloud Enterprise (ECE) versions before 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can conn...
Elastic Elastic Cloud Enterprise
6.5
CVSSv3
CVE-2023-6687
An issue exists by Elastic whereby Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Elastic Agent attempted to ...
Elastic Elastic Agent
6.5
CVSSv3
CVE-2023-49922
An issue exists by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or 429. Depending on the nature of the event that Beats or Elastic ...
Elastic Elastic Beats
6.5
CVSSv3
CVE-2023-46666
An issue exists when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to al...
Elastic Elastic Sharepoint Online Python Connector
6.5
CVSSv3
CVE-2017-8442
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an ...
Elastic X-pack
9.1
CVSSv3
CVE-2023-46668
If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed i...
Elastic Endpoint
7.5
CVSSv3
CVE-2016-1000221
Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
Elastic Logstash
5.4
CVSSv3
CVE-2021-37936
It exists that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would ...
Elastic Kibana
NA
CVE-2015-4152
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash prior to 1.4.3 allows remote malicious users to write to arbitrary files via vectors related to dynamic field references in the path option.
Elastic Logstash
8.1
CVSSv3
CVE-2023-46667
An issue exists in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrolment tokens are being inserted into the Fleet Server’s log file in plain text. These enrolment tokens could allow someone to enrol an agent into an agent policy, and potentially use that to retr...
Elastic Fleet Server
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-7073
CVE-2024-5496
CVE-2024-5495
XPath injection
bypass
CVE-2024-30043
CVE-2024-24919
denial of service
CVE-2024-35468
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
NEXT »