Elastic Elastic
Products by Elastic Sorted by Most Security Vulnerabilities since 2018
Known Exploited Elastic Vulnerabilities
The following Elastic vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability | The Groovy scripting engine in Elasticsearch allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands. CVE-2015-1427 | March 25, 2022 |
Elasticsearch Remote Code Execution Vulnerability | Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code. CVE-2014-3120 | March 25, 2022 |
Kibana Arbitrary Code Execution | Kibana contain an arbitrary code execution flaw in the Timelion visualizer. CVE-2019-7609 | January 10, 2022 |
By the Year
In 2023 there have been 5 vulnerabilities in Elastic with an average score of 6.7 out of ten. Last year Elastic had 11 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2023 is greater by 1.04.
Year | Vulnerabilities | Average Score |
---|---|---|
2023 | 5 | 6.70 |
2022 | 11 | 5.66 |
2021 | 21 | 5.65 |
2020 | 5 | 6.66 |
2019 | 12 | 7.39 |
2018 | 19 | 6.97 |
It may take a day or so for new Elastic vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Elastic Security Vulnerabilities
Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input
CVE-2023-31413
3.3 - Low
- May 04, 2023
Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled.
Insertion of Sensitive Information into Log File
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw
CVE-2023-31414
8.8 - High
- May 04, 2023
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
Code Injection
Kibana version 8.7.0 contains an arbitrary code execution flaw
CVE-2023-31415
8.8 - High
- May 04, 2023
Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.
Code Injection
An open redirect issue was discovered in Kibana
CVE-2022-38779
6.1 - Medium
- February 22, 2023
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.
Open Redirect
A flaw (CVE-2022-38900) was discovered in one of Kibanas third party dependencies
CVE-2022-38778
6.5 - Medium
- February 08, 2023
A flaw (CVE-2022-38900) was discovered in one of Kibanas third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process.
Improper Input Validation
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16
CVE-2021-22141
6.1 - Medium
- November 18, 2022
An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.
Open Redirect
It was discovered that Kibana was not sanitizing document fields containing HTML snippets
CVE-2021-37936
5.4 - Medium
- November 18, 2022
It was discovered that Kibana was not sanitizing document fields containing HTML snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.
XSS
A flaw was discovered in ECE before 3.1.1
CVE-2022-23716
5.3 - Medium
- September 28, 2022
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster.
Insertion of Sensitive Information into Log File
A flaw was discovered in ECE before 3.4.0
CVE-2022-23715
6.5 - Medium
- August 25, 2022
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore
Insertion of Sensitive Information into Log File
A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could
CVE-2022-23713
6.1 - Medium
- July 06, 2022
A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victims browser.
XSS
A Denial of Service flaw was discovered in Elasticsearch
CVE-2022-23712
7.5 - High
- June 06, 2022
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source
CVE-2022-23711
5.3 - Medium
- April 21, 2022
A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.
A flaw was discovered in Elasticsearch 7.17.0s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index
CVE-2022-23708
4.3 - Medium
- March 03, 2022
A flaw was discovered in Elasticsearch 7.17.0s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with * index permissions access to this index.
Improper Privilege Management
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules
CVE-2022-23709
4.3 - Medium
- March 03, 2022
A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.
AuthZ
A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could
CVE-2022-23710
6.1 - Medium
- March 03, 2022
A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victims browser.
XSS
An XSS vulnerability was found in Kibana index patterns
CVE-2022-23707
5.4 - Medium
- February 11, 2022
An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users
XSS
A local privilege escalation issue was found with the APM Java agent
CVE-2021-37941
7.8 - High
- December 08, 2021
A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. This vulnerability affects users that have set up the agent via the attacher cli 3, the attach API 2, as well as users that have enabled the profiling_inferred_spans_enabled option
Improper Privilege Management
An information disclosure
CVE-2021-37940
6.8 - Medium
- December 07, 2021
An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible.
XSPA
It was discovered that Kibanas JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden
CVE-2021-37939
2.7 - Low
- November 18, 2021
It was discovered that Kibanas JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.
Cleartext Transmission of Sensitive Information
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path
CVE-2021-37938
4.3 - Medium
- November 18, 2021
It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.
Directory traversal
Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization
CVE-2021-22149
8.8 - High
- September 15, 2021
Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
AuthZ
Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator
CVE-2021-22148
8.8 - High
- September 15, 2021
Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
Incorrect Permission Assignment for Critical Resource
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots
CVE-2021-22147
6.5 - Medium
- September 15, 2021
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
AuthZ
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability
CVE-2021-22144
6.5 - Medium
- July 26, 2021
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.
Stack Exhaustion
All versions of Elastic Cloud Enterprise has the Elasticsearch anonymous user enabled by default in deployed clusters
CVE-2021-22146
7.5 - High
- July 21, 2021
All versions of Elastic Cloud Enterprise has the Elasticsearch anonymous user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting
CVE-2021-22145
6.5 - Medium
- July 21, 2021
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
Generation of Error Message Containing Sensitive Information
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe
CVE-2020-10743
4.3 - Medium
- June 02, 2021
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
Improperly Implemented Security Check for Standard
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected
CVE-2021-22136
3.5 - Low
- May 13, 2021
In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.
Insufficient Session Expiration
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size
CVE-2021-22139
6.5 - Medium
- May 13, 2021
Kibana versions before 7.12.1 contain a denial of service vulnerability was found in the webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.
Resource Exhaustion
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature
CVE-2021-22138
3.7 - Low
- May 13, 2021
In Logstash versions after 6.4.0 and before 6.8.15 and 7.12.0 a TLS certificate validation flaw was found in the monitoring feature. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.
Improper Certificate Validation
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used
CVE-2021-22137
5.3 - Medium
- May 13, 2021
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Improper Preservation of Permissions
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled
CVE-2021-22135
5.3 - Medium
- May 13, 2021
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
Information Disclosure
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature
CVE-2021-22140
7.5 - High
- May 13, 2021
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
XXE
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used
CVE-2021-22134
4.3 - Medium
- March 08, 2021
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
AuthZ
The Elastic APM agent for Go versions before 1.11.0
CVE-2021-22133
2.4 - Low
- February 10, 2021
The Elastic APM agent for Go versions before 1.11.0 can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.
Insertion of Sensitive Information into Log File
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled
CVE-2020-7021
4.9 - Medium
- February 10, 2021
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Insertion of Sensitive Information into Log File
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API
CVE-2021-22132
4.8 - Medium
- January 14, 2021
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2
Insufficiently Protected Credentials
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to
CVE-2020-27816
6.1 - Medium
- December 02, 2020
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7.
Open Redirect
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used
CVE-2020-7020
3.1 - Low
- October 22, 2020
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Improper Privilege Management
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security
CVE-2020-7019
6.5 - Medium
- August 18, 2020
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Improper Privilege Management
The fix for CVE-2020-7009 was found to be incomplete
CVE-2020-7014
8.8 - High
- June 03, 2020
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
Improper Privilege Management
Elasticsearch versions
CVE-2020-7009
8.8 - High
- March 31, 2020
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
Improper Privilege Management
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service
CVE-2019-7619
5.3 - Medium
- October 30, 2019
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin
CVE-2019-7620
7.5 - High
- October 30, 2019
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
Improper Input Validation
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker
CVE-2019-7617
7.2 - High
- August 22, 2019
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
Improper Input Validation
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer
CVE-2019-7616
4.9 - Medium
- July 30, 2019
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
XSPA
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0
CVE-2019-7615
7.4 - High
- July 30, 2019
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
Improper Certificate Validation
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request
CVE-2019-7614
5.9 - Medium
- July 30, 2019
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Race Condition
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability
CVE-2019-7608
6.1 - Medium
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer
CVE-2019-7609
10 - Critical
- March 25, 2019
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Command Injection
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw
CVE-2019-7613
7.5 - High
- March 25, 2019
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
Improper Input Validation
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger
CVE-2019-7610
9 - Critical
- March 25, 2019
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Command Injection
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases
CVE-2019-7611
8.1 - High
- March 25, 2019
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Permission Issues
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs
CVE-2019-7612
9.8 - Critical
- March 25, 2019
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Credentials Management Errors
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory
CVE-2018-17244
6.5 - Medium
- December 20, 2018
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Information Disclosure
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API
CVE-2018-17247
5.9 - Medium
- December 20, 2018
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
XXE
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin
CVE-2018-17246
9.8 - Critical
- December 20, 2018
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Inclusion of Functionality from Untrusted Control Sphere
Kibana versions 4.0 to 4.6
CVE-2018-17245
9.8 - Critical
- December 20, 2018
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.
Insufficiently Protected Credentials
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability
CVE-2018-3823
5.4 - Medium
- September 19, 2018
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
XSS
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability
CVE-2018-3824
6.1 - Medium
- September 19, 2018
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.
XSS
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters
CVE-2018-3825
5.9 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
Insecure Default Initialization of Resource
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API
CVE-2018-3826
6.5 - Medium
- September 19, 2018
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Missing Encryption of Sensitive Data
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin
CVE-2018-3827
8.1 - High
- September 19, 2018
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
Insertion of Sensitive Information into Log File
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured
CVE-2018-3831
8.8 - High
- September 19, 2018
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Information Disclosure
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter
CVE-2018-3830
6.1 - Medium
- September 19, 2018
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered
CVE-2018-3829
5.3 - Medium
- September 19, 2018
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
Authentication Bypass by Spoofing
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability
CVE-2018-3828
7.5 - High
- September 19, 2018
Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.
Insertion of Sensitive Information into Log File
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations
CVE-2018-3820
6.1 - Medium
- March 30, 2018
Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization
CVE-2018-3821
6.1 - Medium
- March 30, 2018
Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack
CVE-2018-3822
9.8 - Critical
- March 30, 2018
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
Directory traversal
The fix in Kibana for ESA-2017-23 was incomplete
CVE-2018-3819
6.1 - Medium
- March 30, 2018
The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Open Redirect
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter
CVE-2018-3818
6.1 - Medium
- March 30, 2018
Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
When logging warnings regarding deprecated settings
CVE-2018-3817
6.5 - Medium
- March 30, 2018
When logging warnings regarding deprecated settings, Logstash before 5.6.6 and 6.x before 6.1.2 could inadvertently log sensitive information.
Information Disclosure
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields
CVE-2017-11481
6.1 - Medium
- December 08, 2017
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
The Kibana fix for CVE-2017-8451 was found to be incomplete
CVE-2017-11482
6.1 - Medium
- December 08, 2017
The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.
Open Redirect
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion
CVE-2017-11479
6.1 - Medium
- September 29, 2017
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
CVE-2015-9056
6.1 - Medium
- June 16, 2017
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
XSS
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in
CVE-2016-1000219
7.5 - High
- June 16, 2017
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
AuthZ
With X-Pack installed
CVE-2016-10364
6.5 - Medium
- June 16, 2017
With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions.
Permissions, Privileges, and Access Controls
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
CVE-2016-10366
6.1 - Medium
- June 16, 2017
Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack.
XSS
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack
CVE-2016-1000220
6.1 - Medium
- June 16, 2017
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.
XSS
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page
CVE-2017-8440
6.1 - Medium
- June 05, 2017
Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
XSS
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder
CVE-2017-8439
6.1 - Medium
- June 05, 2017
Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.
XSS
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1
CVE-2015-8131
- December 07, 2015
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Session Riding