Filtered by vendor Elastic
Subscribe
Total
144 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-7620 | 1 Elastic | 1 Logstash | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding. | |||||
CVE-2019-7618 | 1 Elastic | 1 Kibana | 2023-12-10 | 3.5 LOW | 6.5 MEDIUM |
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user. | |||||
CVE-2019-7621 | 1 Elastic | 1 Kibana | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser. | |||||
CVE-2019-7615 | 1 Elastic | 1 Apm-agent-ruby | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent. | |||||
CVE-2019-7610 | 1 Elastic | 1 Kibana | 2023-12-10 | 9.3 HIGH | 9.0 CRITICAL |
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | |||||
CVE-2019-7617 | 1 Elastic | 1 Apm Agent | 2023-12-10 | 6.4 MEDIUM | 7.2 HIGH |
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing. | |||||
CVE-2019-7608 | 1 Elastic | 1 Kibana | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. | |||||
CVE-2019-7614 | 1 Elastic | 1 Elasticsearch | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user. | |||||
CVE-2019-7616 | 1 Elastic | 1 Kibana | 2023-12-10 | 4.0 MEDIUM | 4.9 MEDIUM |
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system. | |||||
CVE-2019-7613 | 1 Elastic | 1 Winlogbeat | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event. | |||||
CVE-2019-7611 | 1 Elastic | 1 Elasticsearch | 2023-12-10 | 6.8 MEDIUM | 8.1 HIGH |
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index. | |||||
CVE-2019-7609 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2023-12-10 | 10.0 HIGH | 10.0 CRITICAL |
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. | |||||
CVE-2019-7612 | 2 Elastic, Netapp | 2 Logstash, Active Iq Performance Analytics Services | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message. | |||||
CVE-2018-3826 | 1 Elastic | 1 Elasticsearch | 2023-12-10 | 4.0 MEDIUM | 6.5 MEDIUM |
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API. | |||||
CVE-2018-3824 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user. | |||||
CVE-2018-3831 | 1 Elastic | 1 Elasticsearch | 2023-12-10 | 4.0 MEDIUM | 8.8 HIGH |
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details. | |||||
CVE-2018-17245 | 1 Elastic | 1 Kibana | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider. | |||||
CVE-2018-3823 | 1 Elastic | 3 Elasticsearch X-pack, Kibana X-pack, Logstash X-pack | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs. | |||||
CVE-2018-17247 | 1 Elastic | 1 Elasticsearch | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | |||||
CVE-2018-17246 | 2 Elastic, Redhat | 2 Kibana, Openshift Container Platform | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. |