Filtered by vendor Elastic
Subscriptions
Total
161 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-7613 | 1 Elastic | 1 Winlogbeat | 2024-11-21 | 7.5 High |
| Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event. | ||||
| CVE-2019-7612 | 2 Elastic, Netapp | 2 Logstash, Active Iq Performance Analytics Services | 2024-11-21 | 9.8 Critical |
| A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message. | ||||
| CVE-2019-7611 | 2 Elastic, Redhat | 3 Elasticsearch, Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform | 2024-11-21 | 8.1 High |
| A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index. | ||||
| CVE-2019-7610 | 2 Elastic, Redhat | 2 Kibana, Openshift | 2024-11-21 | N/A |
| Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | ||||
| CVE-2019-7608 | 2 Elastic, Redhat | 2 Kibana, Openshift | 2024-11-21 | N/A |
| Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2018-3831 | 2 Elastic, Redhat | 2 Elasticsearch, Jboss Fuse | 2024-11-21 | 8.8 High |
| Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details. | ||||
| CVE-2018-3830 | 2 Elastic, Redhat | 3 Kibana, Openshift, Openshift Container Platform | 2024-11-21 | 6.1 Medium |
| Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2018-3829 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 5.3 Medium |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data. | ||||
| CVE-2018-3828 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | N/A |
| Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials. | ||||
| CVE-2018-3827 | 1 Elastic | 1 Azure Repository | 2024-11-21 | 8.1 High |
| A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged. | ||||
| CVE-2018-3826 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A |
| In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API. | ||||
| CVE-2018-3825 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | N/A |
| In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. | ||||
| CVE-2018-3824 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2024-11-21 | N/A |
| X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user. | ||||
| CVE-2018-3823 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2024-11-21 | 5.4 Medium |
| X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs. | ||||
| CVE-2018-3822 | 1 Elastic | 1 X-pack | 2024-11-21 | 9.8 Critical |
| X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw. | ||||
| CVE-2018-3821 | 1 Elastic | 1 Kibana | 2024-11-21 | 6.1 Medium |
| Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2018-3820 | 1 Elastic | 1 Kibana | 2024-11-21 | 6.1 Medium |
| Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2018-3819 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A |
| The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. | ||||
| CVE-2018-3818 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A |
| Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | ||||
| CVE-2018-3817 | 1 Elastic | 1 Logstash | 2024-11-21 | N/A |
| When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information. | ||||