Vulnerabilities (CVE)

Vendor filter

Elastic Subscribe

Filter

28 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-7617 1 Elastic 1 Apm Agent 2019-10-09 6.4
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy...
CVE-2019-7615 1 Elastic 1 Apm-agent-ruby 2019-10-09 5.8
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned...
CVE-2019-7614 1 Elastic 1 Elasticsearch 2019-10-09 4.3
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response...
CVE-2019-7613 1 Elastic 1 Winlogbeat 2019-10-09 5.0
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
CVE-2019-7612 2 Netapp, Elastic 2 Active Iq Performance Analytics Services, Logstash 2019-10-09 5.0
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged...
CVE-2019-7611 1 Elastic 1 Elasticsearch 2019-10-09 6.8
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has...
CVE-2018-3831 1 Elastic 1 Elasticsearch 2019-10-09 4.0
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration...
CVE-2018-3829 1 Elastic 1 Elastic Cloud Enterprise 2019-10-09 3.5
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host...
CVE-2018-3828 1 Elastic 1 Elastic Cloud Enterprise 2019-10-09 3.5
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being...
CVE-2018-3827 1 Elastic 1 Azure Repository 2019-10-09 4.3
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
CVE-2018-3826 1 Elastic 1 Elasticsearch 2019-10-09 4.0
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
CVE-2018-3825 1 Elastic 1 Elastic Cloud Enterprise 2019-10-09 4.3
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE...
CVE-2018-3824 1 Elastic 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack 2019-10-09 4.3
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML...
CVE-2018-3823 1 Elastic 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack 2019-10-09 3.5
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to...
CVE-2018-3822 1 Elastic 1 X-pack 2019-10-09 7.5
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider...
CVE-2018-3817 2 Elasticsearch, Elastic 2 Logstash, Logstash 2019-10-09 4.0
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
CVE-2018-17247 1 Elastic 1 Elasticsearch 2019-10-09 4.3
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a...
CVE-2018-17244 1 Elastic 1 Elasticsearch 2019-10-09 4.0
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the...
CVE-2017-8450 2 Elasticsearch, Elastic 2 X-pack, X-pack 2019-10-09 4.0
X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
CVE-2017-8449 2 Elasticsearch, Elastic 2 X-pack, X-pack 2019-10-09 4.3
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.