Latest elastic elasticsearch Vulnerabilities

Elasticsearch-hadoop Unsafe Deserialization
Elastic Elasticsearch<7.17.11
Elastic Elasticsearch>=8.0.0<8.9.0
maven/org.elasticsearch:elasticsearch-hadoop>=8.0.0<8.9.0
maven/org.elasticsearch:elasticsearch-hadoop<7.17.11
Elastic Elasticsearch is vulnerable to a denial of service, caused by improper handling of exceptional conditions. By sending a specially crafted request using the Simulate Pipeline API, a remote auth...
maven/org.elasticsearch:elasticsearch>=8.0.0<8.10.3
maven/org.elasticsearch:elasticsearch>=7.0.0<7.17.14
Elastic Elasticsearch>=7.0.0<7.17.14
Elastic Elasticsearch>=8.0.0<8.10.3
Elasticsearch privilege escalation
Elastic Elasticsearch>=7.13.0<=7.14.0
Elasticsearch Insertion of sensitive information in audit logs
>=7.0.0<=7.17.12
>=8.0.0<=8.9.1
Elastic Elasticsearch>=7.0.0<=7.17.12
Elastic Elasticsearch>=8.0.0<=8.9.1
maven/org.elasticsearch:elasticsearch>=8.0.0<8.9.2
maven/org.elasticsearch:elasticsearch>=7.0.0<7.17.13
Elasticsearch uncontrolled resource consumption
Elastic Elasticsearch<=7.17.12
Elastic Elasticsearch>=8.0.0<=8.8.2
Elastic Elastic Cloud Enterprise<=2.13.3
Elastic Elastic Cloud Enterprise=3.6.0
maven/org.elasticsearch:elasticsearch>=8.0.0<8.9.0
maven/org.elasticsearch:elasticsearch<7.17.13
Elasticsearch StackOverflow vulnerability
maven/org.elasticsearch:elasticsearch>=8.0.0<8.9.1
maven/org.elasticsearch:elasticsearch>=7.0.0<7.17.13
Elastic Elasticsearch>=7.0.0<=7.17.12
Elastic Elasticsearch>=8.0.0<=8.9.0
Elastic Elasticsearch>=8.0.0<8.2.1
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized t...
Elastic Elasticsearch>=7.11.0<7.14.0
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with th...
Elastic Elasticsearch<6.8.17
Elastic Elasticsearch>=7.0.0<7.13.3
XStream XStream=1.8.0
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query ...
Elastic Elasticsearch>=7.10.0<=7.13.3
XStream XStream=1.8.0
In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when...
Elastic Elasticsearch<6.8.15
Elastic Elasticsearch>=7.11.0<7.11.2
maven/org.elasticsearch:elasticsearch<=6.8.14
maven/org.elasticsearch:elasticsearch>=7.11.0<=7.11.1
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The sugg...
Elastic Elasticsearch<6.8.15
Elastic Elasticsearch>=7.11.0<7.11.2
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when...
Elastic Elasticsearch>=7.6.0<=7.11.0
XStream XStream=1.8.0
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive...
Elastic Elasticsearch<6.8.14
Elastic Elasticsearch>=7.0.0<7.10.0
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user w...
Elastic Elasticsearch>=7.7.0<7.10.2
XStream XStream=1.8.0
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when execu...
redhat/elasticsearch<7.9.2
redhat/elasticsearch<6.8.13
Elastic Elasticsearch<6.8.13
Elastic Elasticsearch>=7.0.0<7.9.2
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recentl...
Elastic Elasticsearch<6.8.12
Elastic Elasticsearch>=7.0.0<7.9.0
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and al...
Elastic Elasticsearch>=6.7.0<=6.8.7
Elastic Elasticsearch>=7.0.0<=7.6.1
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine...
Elastic Elasticsearch>=6.7.0<=6.8.3
Elastic Elasticsearch>=7.0.0<=7.3.2
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible fo...
Elastic Elasticsearch<6.8.2
Elastic Elasticsearch>=7.0.0<7.2.1
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are use...
Elastic Elasticsearch<5.6.15
Elastic Elasticsearch>=6.0.0<6.6.1
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java S...
Elastic Elasticsearch=6.5.0
Elastic Elasticsearch=6.5.1
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive ...
Elastic Elasticsearch>=6.4.0<=6.4.2
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as ...
Elastic Elasticsearch>=6.0.0<=6.2.4
Elastic Elasticsearch=6.0.0-beta1
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when que...
redhat/elasticsearch<6.4.1
redhat/elasticsearch<5.6.12
Elastic Elasticsearch>=5.6.0<5.6.12
Elastic Elasticsearch>=6.0.0<6.4.1

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203