Elasticsearch

elasticsearch

Vendor: Elastic • 47 CVEs

CVEs (47)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-17247 1Elastic 1Elasticsearch Nov 21, 2024 Dec 20, 2018 N/A· v4 5.9 MEDIUM· v3 4.3 MEDIUM· v2 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then...Show more Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.Show less
CVE-2018-17244 1Elastic 1Elasticsearch Nov 21, 2024 Dec 20, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for...Show more Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.Show less
CVE-2018-3831 1Elastic 1Elasticsearch Nov 21, 2024 Sep 19, 2018 N/A· v4 8.8 HIGH· v3 4.0 MEDIUM· v2 Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sen...Show more Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.Show less
CVE-2018-3826 1Elastic 1Elasticsearch Nov 21, 2024 Sep 19, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users...Show more In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.Show less
CVE-2015-5377 1Elastic 1Elasticsearch Nov 21, 2024 Mar 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnera...Show more Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerabilityShow less
CVE-2015-1427 2Elastic Redhat 2Elasticsearch Fuse Apr 22, 2026 Feb 17, 2015 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CVE-2014-3120 2Elastic Elasticsearch 2Elasticsearch Elasticsearch Apr 22, 2026 Jul 28, 2014 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only vio...Show more The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.Show less

Previous 1 23