Vulmon
Recent Vulnerabilities
Product List
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
elastic elasticsearch vulnerabilities and exploits
(subscribe to this query)
6.5
CVSSv3
CVE-2018-3826
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Elastic Elasticsearch 6.0.0
Elastic Elasticsearch
5.9
CVSSv3
CVE-2018-17247
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted reques...
Elastic Elasticsearch 6.5.1
Elastic Elasticsearch 6.5.0
5.9
CVSSv3
CVE-2015-5619
Logstash 1.4.x prior to 1.4.5 and 1.5.x prior to 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow malicious users to obtain sensitive information via a man-in-the-middle attack.
Elasticsearch Logstash 1.5.3
Elasticsearch Logstash 1.4.4
Elasticsearch Logstash 1.5.1
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.5.0
Elasticsearch Logstash 1.5.2
Elastic Logstash 1.4.1
Elastic Logstash 1.4.2
Elastic Logstash 1.4.0
7.5
CVSSv3
CVE-2015-5378
Logstash 1.5.x prior to 1.5.3 and 1.4.x prior to 1.4.4 allows remote malicious users to read communications between Logstash Forwarder agent and Logstash server.
Elasticsearch Logstash 1.5.1
Elasticsearch Logstash 1.4.3
Elasticsearch Logstash 1.5.0
Elasticsearch Logstash 1.5.2
Elastic Logstash 1.4.1
Elastic Logstash 1.4.2
Elastic Logstash 1.4.0
7.5
CVSSv3
CVE-2023-31418
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elasti...
Elastic Elasticsearch
Elastic Elastic Cloud Enterprise
Elastic Elastic Cloud Enterprise 3.6.0
9.8
CVSSv3
CVE-2015-5377
Elasticsearch prior to 1.6.1 allows remote malicious users to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
Elastic Elasticsearch
4 Github repositories
7.8
CVSSv3
CVE-2023-46674
An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.
Elastic Elasticsearch
8.8
CVSSv3
CVE-2018-3831
Elasticsearch Alerting and Monitoring in versions prior to 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens...
Elastic Elasticsearch
6.5
CVSSv3
CVE-2021-22147
Elasticsearch prior to 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Elastic Elasticsearch
5.3
CVSSv3
CVE-2021-22135
Elasticsearch versions prior to 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level s...
Elastic Elasticsearch
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
privilege
CVE-2022-48762
CVE-2022-48751
CVE-2024-37079
CVE-2024-30848
LFI
man-in-the-middle
CVE-2022-48736
CVE-2024-30103
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
5
NEXT »