33 matches found
CVE-2022-23708
Affected software: Elasticsearch 7.17.0 (upgrade assistant) in which upgrading from 6.x to 7.x disables built‑in protections on the security index. Vulnerable component: upgrade assistant handling the upgrade path from 6.x to 7.x. Root cause: misconfiguration of protections during upgrade allows ...
CVE-2022-23708
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “” index permissions access to this index...
PT-2022-16218 · Elastic · Elasticsearch
Name of the Vulnerable Software and Affected Versions: Elasticsearch versions 7.16 through 7.17.0 Description: A flaw was discovered in Elasticsearch's upgrade assistant, which occurs when upgrading from version 6.x to 7.x, disabling the in-built protections on the security index. This allows...
Elasticsearch 安全漏洞
Elasticsearch is a set of open source distributed RESTful search engine built on Lucene from the Dutch company Elasticsearch. The product is mainly used in cloud computing and supports data indexing using JSON over HTTP. Elasticsearch is vulnerable to privilege permission and access control issue...
CVE-2020-7012
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker...
Elastic Kibana 6.7.0 < 6.8.9, 7.x <= 7.6.2 Prototype Pollution Vulnerability - Linux
Kibana is prone to a prototype pollution vulnerability in the Upgrade Assistant. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
Elasticsearch Kibana Code Injection Vulnerability (CNVD-2020-38065)
Elasticsearch Kibana is a suite of open source, browser-based analytics and search Elasticsearch dashboard tools from Elasticsearch Netherlands. A code injection vulnerability exists in Upgrade Assistant in Elasticsearch Kibana versions 6.7.0 through 6.8.8 and 7.0.0 through 7.6.2. An attacker can...
CVE-2020-7012
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker...
CVE-2020-7012
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker...
Design/Logic Flaw
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker...
CVE-2020-7012
CVE-2020-7012 affects Elastic Kibana; prototype pollution in the Upgrade Assistant allows an authenticated attacker with write access to the Kibana index to trigger arbitrary code execution with the Kibana process privileges. Affected versions include Kibana 6.7.0–6.8.8 and 7.0.0–7.6.2 (per mult...
Elastic Stack 6.8.9 and 7.7.0 security update
Kibana upgrade assistant prototype pollution flaw ESA-2020-05 Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to...
Elastic: Remote Code Execution on Cloud via latest Kibana 7.6.2
Summary: A prototype pollution in Kibana can be used to gain remote code execution. Description: There is a prototype pollution bug in the upgrade assistant's telemetry collector, via a dangerous usage of .set:...