net.sc8s:elastic-testkit_2.13 (>=0.102.0 <=0.108.0), org.elasticsearch.test:framework (>=9.0.0 <=9.1.10) +3 more potentially affected by CVE-2025-68390 via org.elasticsearch:elasticsearch (>=9.0.0-beta1 <=9.1.7)

org.elasticsearch:elasticsearch MAVEN version =9.0.0-beta1, =0.102.0, =9.0.0, =9.0.0, =1.7.es904.0, =9.0.0, =9.1.5 Source cves: CVE-2025-68390 Source advisory: SNYK:JAVA-ORGELASTICSEARCH-14534841...

ai.ylyue:yue-library-data-es (>=j8.2.2.0 <=j11.2.6.2), br.com.simpli:simpli-ws (>=1.2.1 <=2.2.0) +1034 more potentially affected by CVE-2025-37731 via org.elasticsearch:elasticsearch (>=7.0.0-alpha1 <=8.19.7)

org.elasticsearch:elasticsearch MAVEN version =7.0.0-alpha1, =j8.2.2.0, =1.2.1, =0.0.1-alpha, =5.3.0, =5.6.5, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =6.2.0, =6.8.0, =6.4.0, =5.3.0, =5.3.0, =5.3.0, =5.4.0 and more Source cves: CVE-2025-37731 Source advisory: OSV:GHSA-M9GH-789G-Q5PV...

com.farcsal.dql:query-es (=0.8.0), com.github.ben-manes.caffeine:simulator (>=3.0.4 <=3.0.5) +14 more potentially affected by CVE-2025-37727 via org.elasticsearch:elasticsearch (>=8.0.0-alpha1 <=8.18.7)

org.elasticsearch:elasticsearch MAVEN version =8.0.0-alpha1, =3.0.4, =1.2.0, =0.83.0, =7.23.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.10.0, =1.6.es801.0, =1.7.es8184.0 and more Source cves: CVE-2025-37727 Source advisory: SNYK:JAVA-ORGELASTICSEARCH-13517507...

EUVD-2021-0610

Malware in sbrugna...

EUVD-2022-4199

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-7020

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly...

Linux Distros Unpatched Vulnerability : CVE-2021-22134

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not...

com.farcsal.dql:query-es (=0.8.0), com.github.ben-manes.caffeine:simulator (>=3.0.4 <=3.0.5) +13 more potentially affected by CVE-2024-52981 via org.elasticsearch:elasticsearch (>=8.0.0-alpha1 <=8.15.0)

org.elasticsearch:elasticsearch MAVEN version =8.0.0-alpha1, =3.0.4, =1.2.0, =0.83.0, =7.23.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.10.0, =1.6.es801.0, =8.0.0, =8.15.0 Source cves: CVE-2024-52981 Source advisory: OSV:GHSA-5XM9-X7X4-4J5X...

ai.grakn:grakn-dist (>=0.7.0 <=0.16.0), ai.grakn:grakn-test (=0.10.0) +2379 more potentially affected by CVE-2024-43709 via org.elasticsearch:elasticsearch (>=0.6.0 <=7.17.20)

org.elasticsearch:elasticsearch MAVEN version =0.6.0, =0.7.0, =0.6.1, =0.11.0, =j11.2.6.0, =0.3.0, =1.0.1, =5.1.0, =5.6.5, =5.1.0, =5.3.0, =5.1.0, =5.1.0, =5.1.0, =6.10.5 and more Source cves: CVE-2024-43709 Source advisory: OSV:GHSA-JGX4-7V3V-VWFM...

net.sc8s:elastic-testkit_2.13 (=0.96.0), nl.basjes.parse.useragent:yauaa-elasticsearch-8 (=7.29.0) +3 more potentially affected by CVE-2024-12539 via org.elasticsearch:elasticsearch (>=8.16.0 <=8.16.1)

org.elasticsearch:elasticsearch MAVEN version =8.16.0, =8.16.0, =8.16.0, =8.16.0, =8.16.1 Source cves: CVE-2024-12539 Source advisory: OSV:GHSA-5MPW-4546-2WCR...

net.sc8s:elastic-testkit_2.13 (=0.88.0), nl.basjes.parse.useragent:yauaa-elasticsearch-8 (=7.26.1) +8 more potentially affected by CVE-2024-37280 via org.elasticsearch:elasticsearch (>=8.13.1 <=8.13.4)

org.elasticsearch:elasticsearch MAVEN version =8.13.1, =8.13.1, =8.13.1, =8.13.1, =8.13.4 Source cves: CVE-2024-37280 Source advisory: OSV:GHSA-4Q22-422G-M4PJ...

PT-2024-2594 · Elastic · Elasticsearch

Name of the Vulnerable Software and Affected Versions: Elasticsearch versions 8.10.0 through 8.12.x Description: The issue is related to an Incorrect Authorization problem in the API key based security model for Remote Cluster Security, which is currently in Beta. This allows a malicious user wit...

com.farcsal.dql:query-es (=0.8.0), org.codelibs:elasticsearch-analysis-extension (>=8.0.0 <=8.10.2.0) +7 more potentially affected by CVE-2023-46673 via org.elasticsearch:elasticsearch (>=8.0.0 <=8.10.2)

org.elasticsearch:elasticsearch MAVEN version =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.10.0, =8.0.0, =8.0.1 Source cves: CVE-2023-46673 Source advisory: OSV:GHSA-285M-VHFQ-XX4H...

cn.vertxup:zero-ifx-es (=0.9.0), cn.vertxup:zero-vie (=0.9.0) +17 more potentially affected by CVE-2023-31418 via org.elasticsearch:elasticsearch (>=8.0.0 <=8.8.2)

org.elasticsearch:elasticsearch MAVEN version =8.0.0, =0.4.0, =1.2.0, =2.6.7, =8.9.0-alpha5, =8.9.0-alpha5, =0.83.0, =6.12, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.0.0, =8.2.0, =8.19.16 and more Source cves: CVE-2023-31418 Source advisory: OSV:GHSA-2CQF-6XV9-F22W...

ai.ylyue:yue-library-data-es (>=j8.2.2.0 <=j11.2.6.2), br.com.simpli:simpli-ws (>=1.2.1 <=2.2.0) +735 more potentially affected by CVE-2019-7619 via org.elasticsearch:elasticsearch (>=7.0.0 <=7.3.2)

org.elasticsearch:elasticsearch MAVEN version =7.0.0, =j8.2.2.0, =1.2.1, =5.3.0, =5.6.5, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =6.2.0, =6.8.0, =6.4.0, =5.3.0, =5.3.0, =5.3.0, =5.3.0, =6.10.5 and more Source cves: CVE-2019-7619 Source advisory: OSV:GHSA-HXP8-R9G3-GRFR...

at.molindo:esi4j (>=0.3.0 <=1.0.1), be.thematchbox:AbstractRiver (=1.0.1) +301 more potentially affected by CVE-2014-3120 via org.elasticsearch:elasticsearch (>=0.6.0 <=1.4.0)

org.elasticsearch:elasticsearch MAVEN version =0.6.0, =0.3.0, =1.0.0, =0.1PRE4, =0.1PRE4, =0.1PRE4, =0.1PRE4, =0.0.1, =0.1.13, =0.1.1, =0.8.1, =0.1.0, =1.0, =1.0.0, =1.1.2, =1.8.0 and more Source cves: CVE-2014-3120 Source advisory: OSV:GHSA-MRFM-JXGF-2H6V...

cc.akkaha:asura-core_2.12 (>=0.1.0 <=0.3.0), ch.squaredesk.nova:metrics-elastic (>=4.0.0-beta-1 <=7.0.2) +324 more potentially affected by CVE-2018-3831 via org.elasticsearch:elasticsearch (>=6.0.0 <=6.4.0)

org.elasticsearch:elasticsearch MAVEN version =6.0.0, =0.1.0, =4.0.0-beta-1, =6.0.0, =6.1.1.0, =0.1.0-RC9, =5.0.3.9.6, =0.0.4, =0.1.1808, =1.0, =1.2 and more Source cves: CVE-2018-3831 Source advisory: OSV:GHSA-R9FV-QPM9-RJ4G...

Elasticsearch 5.0.0-5.6.10 and 6.0.0-6.3.2: Log4j CVE-2021-44228, CVE-2021-45046 remediation

Note — If you are not running Elasticsearch 5.0.0-5.6.10 or 6.0.0-6.3.2, these instructions do not apply. Please follow the guidance in themain announcement. Instructions for removing JndiLookup from the log4j-core JAR file​ These instructions only apply to users running Elasticsearch versions...

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

...

GHSA-3393-HVRJ-W7V3 Denial of Service in Elasticsearch

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that...