Elastic Elastic
stack.watch can notify you when security vulnerabilities are reported in any Elastic product. You can add multiple products that you use with Elastic to create your own personal software stack watcher.
Products by Elastic Sorted by Most Security Vulnerabilities since 2018
@elastic Tweets
Build the detailed #observability geoanalysis you want in just a few clicks.
In #Kibana 7.8, Elastic Maps automat… https://t.co/Qf6gKobI3y
Tue Jul 07 22:20:37 +0000 2020
Tue Jul 07 22:20:37 +0000 2020
Part two of our #observability tutorial for #Kubernetes is all about metrics.
Learn how to collect, enrich, and v… https://t.co/BJrgvivmYn
Tue Jul 07 21:05:02 +0000 2020
Tue Jul 07 21:05:02 +0000 2020
We are pleased to announce the availability of the Elastic @OpenTelemetry integration as we continue to embrace… https://t.co/qYSLaTM7Fb
Tue Jul 07 13:00:29 +0000 2020
Tue Jul 07 13:00:29 +0000 2020
By the Year
In 2020 there have been 2 vulnerabilities in Elastic with an average score of 8.8 out of ten. Last year Elastic had 11 security vulnerabilities published. Right now, Elastic is on track to have less security vulerabilities in 2020 than it did last year. However, the average CVE base score of the vulnerabilities in 2020 is greater by 1.18.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2020 | 2 | 8.80 |
| 2019 | 11 | 7.62 |
| 2018 | 12 | 6.86 |
It may take a day or so for new Elastic vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.
Latest Elastic Security Vulnerabilities
The fix for CVE-2020-7009 was found to be incomplete
CVE-2020-7014
8.8 - High
- June 03, 2020
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
Improper Privilege Management
Elasticsearch versions
CVE-2020-7009
8.8 - High
- March 31, 2020
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
Improper Privilege Management
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service
CVE-2019-7619
5.3 - Medium
- October 30, 2019
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Use of a Broken or Risky Cryptographic Algorithm
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin
CVE-2019-7620
7.5 - High
- October 30, 2019
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
Improper Input Validation
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker
CVE-2019-7617
7.2 - High
- August 22, 2019
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
Improper Input Validation
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0
CVE-2019-7615
7.4 - High
- July 30, 2019
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
Improper Certificate Validation
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request
CVE-2019-7614
5.9 - Medium
- July 30, 2019
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Race Condition
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases
CVE-2019-7611
8.1 - High
- March 25, 2019
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Permission Issues
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability
CVE-2019-7608
6.1 - Medium
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer
CVE-2019-7609
10 - Critical
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Improper Neutralization of Special Elements used in a Command ('Command Injection')
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger
CVE-2019-7610
9 - Critical
- March 25, 2019
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Improper Neutralization of Special Elements used in a Command ('Command Injection')
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs
CVE-2019-7612
9.8 - Critical
- March 25, 2019
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Credentials Management
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw
CVE-2019-7613
7.5 - High
- March 25, 2019
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
Improper Input Validation
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory
CVE-2018-17244
6.5 - Medium
- December 20, 2018
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Information Leak
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API
CVE-2018-17247
5.9 - Medium
- December 20, 2018
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
XXE
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin
CVE-2018-3827
8.1 - High
- September 19, 2018
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
Credentials Management
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API
CVE-2018-3826
6.5 - Medium
- September 19, 2018
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Missing Encryption of Sensitive Data
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured
CVE-2018-3831
8.8 - High
- September 19, 2018
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Information Leak
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability
CVE-2018-3823
5.4 - Medium
- September 19, 2018
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
XSS
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability
CVE-2018-3824
6.1 - Medium
- September 19, 2018
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.
XSS
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters
CVE-2018-3825
5.9 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
1188
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability
CVE-2018-3828
7.5 - High
- September 19, 2018
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.
Information Exposure Through Log Files
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered
CVE-2018-3829
5.3 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
Authentication Bypass by Spoofing
When logging warnings regarding deprecated settings
CVE-2018-3817
6.5 - Medium
- March 30, 2018
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Information Leak
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack
CVE-2018-3822
9.8 - Critical
- March 30, 2018
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
Directory traversal