← Back

Elastic

elastic

229 CVEs • 30 products

Products (30)

Click to collapse
Toggle
Kibana
kibana
113 CVEs
Elasticsearch
elasticsearch
47 CVEs
Logstash
logstash
13 CVEs
X Pack
x-pack
9 CVEs
Elastic Cloud Enterprise
elastic_cloud_enterprise
9 CVEs
Enterprise Search
enterprise_search
5 CVEs
Endpoint Security
endpoint_security
5 CVEs
Elastic Agent
elastic_agent
5 CVEs
Apm Agent
apm_agent
3 CVEs
Apm Server
apm_server
3 CVEs
Elasticsearch X Pack
elasticsearch_x-pack
2 CVEs
Kibana X Pack
kibana_x-pack
2 CVEs
Logstash X Pack
logstash_x-pack
2 CVEs
Elastic Cloud On Kubernetes
elastic_cloud_on_kubernetes
2 CVEs
Elastic App Search
elastic_app_search
2 CVEs
Endgame
endgame
2 CVEs
Filebeat
filebeat
2 CVEs
Elastic Beats
elastic_beats
2 CVEs
Kibana Reporting
kibana_reporting
1 CVE
Azure Repository
azure_repository
1 CVE
Winlogbeat
winlogbeat
1 CVE
Apm Agent Ruby
apm-agent-ruby
1 CVE
Endpoint
endpoint
1 CVE
Fleet Server
fleet_server
1 CVE
Elastic Fleet Server
elastic_fleet_server
1 CVE
Elastic Sharepoint Online Python Connector
elastic_sharepoint_online_python_connector
1 CVE
Apm .net Agent
apm_.net_agent
1 CVE
Apm Java Agent
apm_java_agent
1 CVE
Network Drive Connector
network_drive_connector
1 CVE
Elastic Package Registry
elastic_package_registry
1 CVE

CVEs (229)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2017-8445
1Elastic
1X Pack
May 13, 2026
Aug 18, 2017
N/A· v4
5.5 MEDIUM· v3
2.1 LOW· v2
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could...Show more
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.Show less
CVE-2015-5619
2Elastic
Elasticsearch
2Logstash
Logstash
May 13, 2026
Aug 9, 2017
N/A· v4
5.9 MEDIUM· v3
4.3 MEDIUM· v2
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive informa...Show more
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.Show less
CVE-2017-8442
1Elastic
1X Pack
May 13, 2026
Jul 7, 2017
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configu...Show more
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.Show less
CVE-2017-8443
1Elastic
1Kibana
May 13, 2026
Jun 30, 2017
N/A· v4
6.5 MEDIUM· v3
4.3 MEDIUM· v2
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen...Show more
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.Show less
CVE-2015-5378
2Elastic
Elasticsearch
2Logstash
Logstash
May 13, 2026
Jun 27, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.
CVE-2017-8452
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes.
CVE-2017-8451
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.1 MEDIUM· v3
5.8 MEDIUM· v2
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
CVE-2017-8450
1Elastic
1X Pack
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
4.0 MEDIUM· v2
X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
CVE-2017-8449
1Elastic
1X Pack
May 13, 2026
Jun 16, 2017
N/A· v4
5.9 MEDIUM· v3
4.3 MEDIUM· v2
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules f...Show more
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.Show less
CVE-2016-10366
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
CVE-2016-10365
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.1 MEDIUM· v3
5.8 MEDIUM· v2
Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website.
CVE-2016-10364
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.5 MEDIUM· v3
4.0 MEDIUM· v2
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of...Show more
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.Show less
CVE-2016-10363
1Elastic
1Logstash
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The e...Show more
Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.Show less
CVE-2016-1000222
1Elastic
1Logstash
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.
CVE-2016-1000221
1Elastic
1Logstash
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
CVE-2016-1000220
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
CVE-2016-1000219
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when...Show more
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.Show less
CVE-2016-1000218
1Elastic
1Kibana Reporting
May 13, 2026
Jun 16, 2017
N/A· v4
8.8 HIGH· v3
6.8 MEDIUM· v2
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
CVE-2015-9056
1Elastic
1Kibana
May 13, 2026
Jun 16, 2017
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
CVE-2017-8441
1Elastic
1X Pack
May 13, 2026
Jun 5, 2017
N/A· v4
4.3 MEDIUM· v3
4.0 MEDIUM· v2
Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have...Show more
Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.Show less