Lucene search
K
ElasticMost viewed

248 matches found

Elastic
Elastic
added 2019/07/30 6:15 p.m.10 views

Elastic Stack 6.8.2 and 7.2.1 security update

Elasticsearch race condition flaw ESA-2019-07 A race condition flaw was found in the response headers Elasticsearch returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from...

9.1CVSS7.3AI score0.05006EPSS
Exploits3
Elastic
Elastic
added 2018/01/30 6:21 p.m.10 views

Elastic Stack 6.1.3 and 5.6.7 security update

Kibana incomplete fix for ESA-2017-23 ESA-2018-03 The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitra...

6.1CVSS5.4AI score0.00852EPSS
Exploits0
Elastic
Elastic
added 2015/06/06 11:59 a.m.10 views

About the Security Announcements category

Security announcements for the Elastic stack. To report a security vulnerability, please follow the instructions on ourSecurity Issues page. Posting to this category is restricted to staff only...

6.9AI score
Exploits0
Elastic
Elastic
added 2026/07/01 2:3 p.m.9 views

Kibana 8.16.3, 8.17.2 Security Update (ESA-2026-51)

Authorization Bypass Through User-Controlled Key in Kibana Leading to Unauthorized Data Modification Authorization Bypass Through User-Controlled Key CWE-639 in Kibana can lead to unauthorized data modification via Accessing Functionality Not Properly Constrained by ACLs CAPEC-1. Under certain...

4.2CVSS5.7AI score
Exploits0
Elastic
Elastic
added 2026/04/28 9:11 p.m.9 views

Elastic Package Registry 1.38.0 Security Update (ESA-2026-27)

Improper Verification of Cryptographic Signature in Elastic Package Registry Leading to Package Integrity Bypass Improper Verification of Cryptographic Signature CWE-347 in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the...

5.9CVSS5.3AI score0.00124EPSS
Exploits0
Elastic
Elastic
added 2026/03/19 4:59 p.m.9 views

Kibana 8.19.13, 9.2.7, 9.3.2 Security Update (ESA-2026-20)

Improper Validation of Specified Quantity in Input in Kibana Leading to Denial of Service Improper Validation of Specified Quantity in Input CWE-1284 in the Timelion visualization plugin in Kibana can lead Denial of Service via Excessive Allocation CAPEC-130. The vulnerability allows an...

6.5CVSS5.7AI score0.0027EPSS
Exploits0
Elastic
Elastic
added 2026/03/19 4:53 p.m.9 views

Logstash 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-06)

Sensitive Information in Resource Not Removed Before Reuse in Logstash Leading to Access to Sensitive Information Dependency on Vulnerable Third-Party Component CWE-1395 exists in org.lz4:lz4-java decompression library used by logstash-integration-kafka plugin in Logstash that could allow an...

8.2CVSS5.9AI score0.00562EPSS
Exploits0
Elastic
Elastic
added 2025/12/18 9:26 p.m.9 views

Kibana 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-36)

Kibana Allocation of Resources Without Limits or Throttling ESA-2025-36 Allocation of Resources Without Limits or Throttling CWE-770 in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation CAPEC-130 of computing resources and a denial of service DoS of the Kibana...

6.5CVSS6.6AI score0.00271EPSS
Exploits0
Elastic
Elastic
added 2025/07/29 11:30 p.m.9 views

APM Server (Windows Installer) 8.16.3, 8.17.1 Security Update (ESA-2025-01)

APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation LPE when using the Windows Installer ESA-2025-01 An uncontrolled search path element vulnerability can lead to local privilege Escalation LPE via Insecure Directory Permissions. The vulnerability arises from improp...

7CVSS6.7AI score0.00132EPSS
Exploits0
Elastic
Elastic
added 2025/06/10 4:48 p.m.9 views

Kibana 8.12.1 Security Update (ESA-2024-21)

Kibana Improper Authorization ESA-2024-21 Improper authorization in Kibana can lead to privilege abuse via a direct HTTP request to a Synthetic monitor endpoint. Affected Versions: Kibana versions before and including 8.12.0. Solutions and Mitigations: The issue is resolved in versions 8.12.1. Fo...

8.8CVSS6.9AI score0.00352EPSS
Exploits0
Elastic
Elastic
added 2025/05/06 4:29 p.m.9 views

Kibana 8.17.6, 8.18.1, or 9.0.1 Security Update (ESA-2025-07)

Kibana arbitrary code execution via prototype pollution ESA-2025-07 A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. Affected Versions: 8.3.0 to 8.17.5, and 8.18.0, and 9.0.0 Affected...

9.8CVSS7.8AI score0.14795EPSS
Exploits2
Elastic
Elastic
added 2025/05/01 11:34 a.m.9 views

Kibana 7.17.24 and 8.12.0 Security Update (ESA-2024-20)

Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS ESA-2024-20 Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser XSS via crafted HTML and JavaScript files. The attacker must have access to the Synthetic...

5.4CVSS6.3AI score0.0027EPSS
Exploits0
Elastic
Elastic
added 2025/05/01 10:14 a.m.9 views

APM Server 8.16.1 Security Update (ESA-2024-41)

APM Server Insertion of Sensitive Information into Log File ESA-2024-41 APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs. Affected...

5.7CVSS6.4AI score0.00223EPSS
Exploits0
Elastic
Elastic
added 2025/05/01 10:13 a.m.9 views

Elasticsearch 7.17.25 and 8.16.0 Security Update (ESA-2024-40)

Elasticsearch Uncontrolled Resource Consumption vulnerabilityESA-2024-40 Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. Affected Versions:...

7.5CVSS6.9AI score0.00522EPSS
Exploits0
Elastic
Elastic
added 2025/05/01 10:10 a.m.9 views

Logstash 8.15.3 Security Update (ESA-2024-38)

Logstash affected by CVE-2024-47561 in Apache Avro ESA-2024-38 On October 3, 2024, CVE-2024-47561 was published, which can lead to execution of arbitrary code. The issue only affects users using the Kafka integration plugin and only if a malicious schema is loaded through the schema registry...

9.2CVSS7.7AI score0.03278EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 4:0 p.m.9 views

Elasticsearch 7.17.24 and 8.15.1 Security Update (ESA-2024-37)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-37 An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. Affected Versions: Elasticsearch versions 7.17....

7.5CVSS7AI score0.00511EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 3:59 p.m.9 views

Kibana 7.17.23 and 8.15.1 Security Update (ESA-2024-36)

Kibana Uncontrolled Resource Consumption vulnerability ESA-2024-36 An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned ...

6.5CVSS6.9AI score0.00345EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 3:58 p.m.9 views

Logstash 8.15.3, 8.16.0 Security Update (ESA-2024-48)

Logstash Inefficient Regular Expression Complexity ESA-2024-48 On October 28th, 2024, Ruby announced CVE-2024-49761 in rexml which can lead to ReDoS when parsing XML that has many digits between & and x...; in a hex numeric character reference &x...;. The issue only affects users that use the...

8.7CVSS6.9AI score0.01429EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 3:56 p.m.9 views

Logstash 8.15.1 Security Update (ESA-2024-35)

Logstash Uncontrolled Resource Consumption vulnerability ESA-2024-35 On August 19, 2024, Floraison announced CVE-2024-43380, which affects fugit "natural" parser. The parser turns natural language into a cron date and was found to accept any length of input, causing an uncontrolled resource...

7.5CVSS7AI score0.00792EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 3:54 p.m.9 views

Elasticsearch 8.15.1 Security Update (ESA-2024-34)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-34 A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious...

6.5CVSS7AI score0.00467EPSS
Exploits0
Elastic
Elastic
added 2025/04/08 3:53 p.m.9 views

Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02)

Kibana Prototype Pollution can lead to code injection ESA-2025-02 Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected Versions: Kibana versions 8.16.1 up to and including 8.16.3, and 8.17.0 up to and including 8.17.1 Solutio...

9.8CVSS7.6AI score0.00449EPSS
Exploits0
Elastic
Elastic
added 2025/01/23 5:52 a.m.9 views

Kibana 7.17.23/8.15.0 Security Updates (ESA-2024-32, ESA-2024-33)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-33 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the...

6.5CVSS6.6AI score0.00368EPSS
Exploits0
Elastic
Elastic
added 2025/01/21 10:48 a.m.9 views

Elastic Defend 8.13.3 Security Update (ESA-2024-24)

Elastic Defend Improper Handling of Alternate Encoding Leads to Crash ESA-2024-24 Improper handling of alternate encoding occurs when Elastic Defend on Windows systems attempts to scan a file or process encoded as a multibyte character. This leads to an uncaught exception causing Elastic Defend t...

5.5CVSS6.8AI score0.00154EPSS
Exploits0
Elastic
Elastic
added 2024/06/07 4:6 a.m.9 views

Elasticsearch 8.14.0 Security Update (ESA-2024-14)

Elasticsearch StackOverflow vulnerability ESA-2024-14 A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow...

4.9CVSS6.8AI score0.00529EPSS
Exploits0
Elastic
Elastic
added 2024/06/05 8:57 p.m.9 views

Elastic Cloud Enterprise 3.7.1 Security Update (ESA-2024-08)

Elastic Cloud Enterprise - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 ESA-2024-08 On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In t...

7.5CVSS9.1AI score0.91969EPSS
Exploits1
Elastic
Elastic
added 2024/03/29 11:12 a.m.9 views

Elasticsearch 8.11.1 Security Update (ESA-2024-05)

Elasticsearch Uncaught Exception ESA-2024-05 An uncaught exception in Elasticsearch = 8.4.0 and = 8.4.0 and 8.11.1 Solutions and Mitigations: The issue is resolved in version 8.11.1. This requires the attachment processor to be enabled. Users unable to upgrade can ensure that the attachment...

5.3CVSS6.9AI score0.00681EPSS
Exploits0
Elastic
Elastic
added 2024/02/06 10:35 p.m.9 views

APM Server 8.12.1 Security Update (ESA-2024-03)

APM Server Insertion of Sensitive Information into Log File ESA-2024-03 An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the...

7.5CVSS6.6AI score0.00577EPSS
Exploits0
Elastic
Elastic
added 2023/11/15 6:29 a.m.9 views

Logstash 8.11.1 Security Update (ESA-2023-26)

Logstash Insertion of Sensitive Information into Log File ESA-2023-26 An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: Logstash is configured to log in JSON format...

8.4CVSS6.5AI score0.00338EPSS
Exploits0
Elastic
Elastic
added 2023/10/17 12:7 p.m.9 views

Endpoint v8.10.4 Security Update

Elastic Endpoint Insertion of Sensitive Information into Log File ESA-2023-21 If Elastic Endpoint v7.9.0 - v8.10.3 is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to...

9.1CVSS6.9AI score0.00348EPSS
Exploits0
Elastic
Elastic
added 2023/09/19 3:32 p.m.9 views

Beats, Elastic Agent, APM Server, and Fleet Server 8.10.1 Security Update - Improper Certificate Validation issue (ESA-2023-16)

Beats, Elastic Agent, APM Server, and Fleet Server Improper Certificate Validation issue ESA-2023-16 It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however,...

7.5CVSS6.9AI score0.0027EPSS
Exploits0
Elastic
Elastic
added 2023/06/29 2:8 p.m.9 views

Elasticsearch 8.8.2, 7.17.11 Security Update

Elasticsearch Denial of Service DoS issue ESA-2023-10 This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured. A denial of service vulnerability was discovered in Elasticsearch that could lead to the service...

7.5CVSS8AI score0.01119EPSS
Exploits1
Elastic
Elastic
added 2023/05/02 4:8 p.m.9 views

Kibana 8.7.1 Security Updates (ESA-2023-07, ESA-2023-08)

Kibana arbitrary code execution ESA-2023-07 Kibana contains an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands o...

9.9CVSS8AI score0.00957EPSS
Exploits0
Elastic
Elastic
added 2022/08/24 3:42 p.m.9 views

Elastic Cloud Enterprise 3.4.0 Security Update

Elastic Cloud Enterprise Sensitive information disclosure issue ESA-2022-10 A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in th...

6.5CVSS6.2AI score0.00675EPSS
Exploits0
Elastic
Elastic
added 2022/06/30 8:32 p.m.9 views

Elastic 8.3.1, 8.3.0, and 7.17.5 Security Update

Kibana cross-site-scripting XSS issue ESA-2022-08 A cross-site-scripting XSS vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Affected Versions: Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3...

7.8CVSS6.7AI score0.00777EPSS
Exploits0
Elastic
Elastic
added 2022/04/20 2:20 p.m.9 views

Kibana 7.17.3 and 8.1.3 Security Update

Kibana Exposure of Sensitive Information ESA-2022-05 A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch...

5.3CVSS5.7AI score0.00888EPSS
Exploits0
Elastic
Elastic
added 2021/08/03 3:44 p.m.9 views

Elastic Stack 7.14.0 Security Update

Elasticsearch Document/Field Level Security issue ESA-2021-18 A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view. Affected...

8.8CVSS6.3AI score0.01037EPSS
Exploits0
Elastic
Elastic
added 2021/07/20 3:17 p.m.9 views

Elastic Cloud Enterprise security update

Elastic Cloud Enterprise security update ESA-2021-17 Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker...

7.5CVSS7AI score0.27788EPSS
Exploits6
Elastic
Elastic
added 2021/05/25 3:17 p.m.9 views

Elastic Stack 7.13.0 and 6.8.16 Security Update

Kibana url redirection flaw ESA-2021-12 An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. Affected Versions: All versions of Kibana before 7.13....

8.8CVSS7.2AI score0.01009EPSS
Exploits0
Elastic
Elastic
added 2021/03/01 4:55 p.m.9 views

Elastic Stack 7.11.0 Security Update

Elasticsearch field disclosure flaw ESA-2021-05 A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have...

4.3CVSS7.3AI score0.01112EPSS
Exploits0
Elastic
Elastic
added 2021/02/10 5:50 p.m.9 views

Elastic Stack 7.11.0 and 6.8.14 Security Update

Elasticsearch information disclosure ESA-2021-03 Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emitrequestbody option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or...

8.7CVSS5.5AI score0.01362EPSS
Exploits0
Elastic
Elastic
added 2020/04/28 5:23 p.m.9 views

Elastic Cloud on Kubernetes 1.1.0 security update

Elastic Cloud on Kubernetes insecure password generation ESA-2020-03 Elastic Cloud on Kubernetes ECK versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more...

7.5CVSS7.1AI score0.01439EPSS
Exploits0
Elastic
Elastic
added 2018/11/06 6:35 p.m.9 views

Elastic Stack 6.4.3 and 5.6.13 security update

Elasticsearch information disclosure ESA-2018-16 Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same...

9.8CVSS6.8AI score0.82251EPSS
Exploits1
Elastic
Elastic
added 2026/03/19 4:51 p.m.8 views

Kibana 8.19.12, 9.2.6, 9.3.1 Security Update (ESA-2026-19)

Missing Authorization in Kibana Leading to Unauthorized Endpoint Response Action Configuration Missing Authorization CWE-862 in Kibana’s server-side Detection Rule Management can lead to Unauthorized Endpoint Response Action Configuration host isolation, process termination, and process suspensio...

6.5CVSS5.8AI score0.00175EPSS
Exploits0
Elastic
Elastic
added 2025/06/24 5:0 p.m.8 views

Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion ESA-2025-09 On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability. Affected Versions: Kibana versions up to and including...

9.9CVSS7AI score0.06387EPSS
Exploits1
Elastic
Elastic
added 2025/01/21 10:49 a.m.8 views

Elasticsearch 7.17.21 and 8.13.3 Security Update (ESA-2024-25)

Elasticsearch allocation of resources without limits or throttling leads to crash ESA-2024-25 An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. Affected...

7.5CVSS7.6AI score0.00597EPSS
Exploits0
Elastic
Elastic
added 2024/12/17 8:29 p.m.8 views

Elasticsearch 8.16.2 / 8.17.0 Security Update

Elasticsearch Incorrect Authorization ESA-2024-46 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow...

6.5CVSS7AI score0.00393EPSS
Exploits0
Elastic
Elastic
added 2024/08/02 8:20 p.m.8 views

APM Server 8.14.0 Security Update (ESA-2024-19)

APM Server Insertion of Sensitive Information into Log File ESA-2024-19 APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailableshardsexception for a specific document, since the ES response line contains the document body, and that APM...

6.5CVSS6.7AI score0.00437EPSS
Exploits0
Elastic
Elastic
added 2024/06/14 3:27 p.m.8 views

Kibana 7.17.22 / 8.14.0 Security Update (ESA-2024-17)

Kibana RCE due to chromium type confusion ESA-2024-17 On March 26, 2024, a type confusion vulnerability was found in WebAssembly in Google Chrome version prior to 123.0.6312.86 which allows a remote attacker to execute arbitrary code via a crafted HTML page. Kibana includes a bundled version of...

9.9CVSS7.7AI score0.19883EPSS
Exploits5
Elastic
Elastic
added 2024/06/05 8:45 p.m.8 views

Kibana 8.14.0 Security Update (ESA-2024-15)

Kibana Broken Access Control issue ESA-2024-15 A flaw was discovered in Kibana, allowing view-only users of alerting to use the runsoon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. Affected Versions:...

4.3CVSS6.9AI score0.00372EPSS
Exploits0
Elastic
Elastic
added 2024/02/07 10:7 p.m.8 views

Kibana 8.12.1, 7.17.18 Security Update (ESA-2024-04)

Kibana heap buffer overflow vulnerability ESA-2024-04 This issue requires authenticated access to Kibana. On Dec 21, 2023, Google Chrome announced CVE-2023-7024, described as “Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit...

9.9CVSS7.4AI score0.07356EPSS
Exploits2
Total number of security vulnerabilities248