Filtered by vendor Elastic
Subscribe
Total
153 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-3828 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 3.5 LOW | 7.5 HIGH |
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials. | |||||
CVE-2018-3827 | 1 Elastic | 1 Azure Repository | 2024-11-21 | 4.3 MEDIUM | 8.1 HIGH |
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged. | |||||
CVE-2018-3826 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API. | |||||
CVE-2018-3825 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. | |||||
CVE-2018-3824 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user. | |||||
CVE-2018-3823 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs. | |||||
CVE-2018-3822 | 1 Elastic | 1 X-pack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw. | |||||
CVE-2018-3821 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
CVE-2018-3820 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
CVE-2018-3819 | 1 Elastic | 1 Kibana | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | |||||
CVE-2018-3818 | 1 Elastic | 1 Kibana | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
CVE-2018-3817 | 1 Elastic | 1 Logstash | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information. | |||||
CVE-2018-17247 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | |||||
CVE-2018-17246 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | |||||
CVE-2018-17245 | 1 Elastic | 1 Kibana | 2024-11-21 | 5.0 MEDIUM | 9.8 CRITICAL |
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider. | |||||
CVE-2018-17244 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to. | |||||
CVE-2017-8452 | 1 Elastic | 1 Kibana | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | |||||
CVE-2017-8451 | 1 Elastic | 1 Kibana | 2024-11-21 | 5.8 MEDIUM | 6.1 MEDIUM |
With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | |||||
CVE-2017-8450 | 1 Elastic | 1 X-pack | 2024-11-21 | 4.0 MEDIUM | 7.5 HIGH |
X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. | |||||
CVE-2017-8449 | 1 Elastic | 1 X-pack | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. |