Elasticsearch 8.15.1 Security Update (ESA-2024-34)

Elasticsearch Uncontrolled Resource Consumption vulnerability ESA-2024-34 A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious...

Kibana 8.16.4 and 8.17.2 Security Update (ESA-2025-02)

Kibana Prototype Pollution can lead to code injection ESA-2025-02 Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. Affected Versions: Kibana versions 8.16.1 up to and including 8.16.3, and 8.17.0 up to and including 8.17.1 Solutio...

Kibana 7.17.23/8.15.0 Security Updates (ESA-2024-32, ESA-2024-33)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-33 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the...

Kibana 8.15.0 Security Update (ESA-2024-29, ESA-2024-30)

Kibana server-side request forgery ESA-2024-29 A server side request forgery vulnerability was identified in Kibana where the /api/fleet/healthcheck API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that retu...

Elasticsearch 7.17.21 and 8.13.3 Security Update (ESA-2024-25)

Elasticsearch allocation of resources without limits or throttling leads to crash ESA-2024-25 An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. Affected...

Elasticsearch 8.16.2 / 8.17.0 Security Update

Elasticsearch Incorrect Authorization ESA-2024-46 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow...

APM Server 8.14.0 Security Update (ESA-2024-19)

APM Server Insertion of Sensitive Information into Log File ESA-2024-19 APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailableshardsexception for a specific document, since the ES response line contains the document body, and that APM...

Kibana 8.14.0/7.17.22 Security Update (ESA-2024-11)

Kibana uncontrolled resource consumption ESA-2024-11 A high-privileged user, allowed to create custom osquery packs could affect the availability of Kibana by uploading a maliciously crafted osquery pack. Affected Versions: Kibana versions after 7.13.0 and before 7.17.22 and versions after 8.0.0...

Elasticsearch 8.14.0 Security Update (ESA-2024-14)

Elasticsearch StackOverflow vulnerability ESA-2024-14 A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow...

Elastic Cloud Enterprise 3.7.1 Security Update (ESA-2024-08)

Elastic Cloud Enterprise - Uncontrolled Resource Consumption through HTTP/2 endpoints - CVE-2023-45288 ESA-2024-08 On April 4, 2024, the Go Project announced CVE-2023-45288, which can lead to CPU exhaustion as an attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data. In t...

Elastic Security Statement for CVE-2024-3094, xz versions 5.6.0 and 5.6.1

Elastic Products are not affected by this issue. On March 29th, 2024, Elastic became aware of the malicious code planted in the xz package. Elastic has performed an investigation to identify any Elastic Products which may be impacted by this issue and we have concluded that no Elastic products us...

Elastic Network Drive Connector 8.12.1 Security Update (ESA-2024-02)

Elastic Network Drive Connector Improper Access Control ESA-2024-02 An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in...

Logstash 8.11.1 Security Update (ESA-2023-26)

Logstash Insertion of Sensitive Information into Log File ESA-2023-26 An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances. The prerequisites for the manifestation of this issue are: Logstash is configured to log in JSON format...

Kibana 8.11.1 Security Update (ESA-2023-25)

Kibana Insertion of Sensitive Information into Log File ESA-2023-25 An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may...

Endpoint v8.10.4 Security Update

Elastic Endpoint Insertion of Sensitive Information into Log File ESA-2023-21 If Elastic Endpoint v7.9.0 - v8.10.3 is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to...

Elasticsearch 8.9.2 and 7.17.13 Security Update

Elasticsearch Insertion of sensitive information in audit logs ESA-2023-12 Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for API...

Elastic 8.3.1, 8.3.0, and 7.17.5 Security Update

Kibana cross-site-scripting XSS issue ESA-2022-08 A cross-site-scripting XSS vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Affected Versions: Versions 7.0.0 through 7.17.4 and 8.0.0 through 8.2.3...

Elastic Cloud Enterprise security update

Elastic Cloud Enterprise security update ESA-2021-17 Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker...

Elasticsearch 7.13.4 Security Update

Elasticsearch memory disclosure issue ESA-2021-16 A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing...

Elastic Stack 7.13.0 and 6.8.16 Security Update

Kibana url redirection flaw ESA-2021-12 An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website. Affected Versions: All versions of Kibana before 7.13....

Elastic Stack 7.11.0 Security Update

Elasticsearch field disclosure flaw ESA-2021-05 A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have...

Elastic Stack 6.8.7 and 7.6.1 security update

Kibana Node.js security flaws ESA-2020-01 The version of Node.js shipped in all versions of Kibana prior to 7.6.1 and 6.8.7 contain three security flaws. CVE-2019-15604 describes a Denial of Service DoS flaw in the TLS handling code of Node.js. Successful exploitation of this flaw could result in...

Elastic Stack 6.4.3 and 5.6.13 security update

Elasticsearch information disclosure ESA-2018-16 Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same...

Elastic Stack 6.4.1 and 5.6.12 security update

Kibana XSS issue ESA-2018-14 Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting XSS vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. Affected Versions Versions afte...

Kibana 5.0.1 and 4.6.3 released with a fix for an open redirect vulnerability

Kibana versions 5.0.1 and 4.6.3 fix an open redirect vulnerability in the short URL feature that would allow an attacker to create a redirect from the Kibana domain to a different website. We’ve assigned this vulnerability the identifier ESA-2016-08. Thank you to the GE Digital Security Team for...

8.19.16, 9.3.5 Security Update (ESA-2026-33)

Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access Operation on a Resource after Expiration or Termination CWE-672 in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a...

Elasticsearch 8.19.8, 9.1.8 Security Update (ESA-2026-18)

Deserialization of Untrusted Data in Elasticsearch Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in PyTorch used by the machine learning model loading component in Elasticsearch that can allow an attacker to achieve remote code execution via Objec...

Packetbeat 8.19.9, 9.1.9, and 9.2.3 Security Update (ESA-2025-30)

Packetbeat Improper Bounds Check ESA-2025-30 Improper Bounds Check CWE-787 in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow CAPEC-100 and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid...

APM Server (Windows Installer) 8.16.3, 8.17.1 Security Update (ESA-2025-01)

APM Server Uncontrolled Search Path Element can lead to Local Privilege Escalation LPE when using the Windows Installer ESA-2025-01 An uncontrolled search path element vulnerability can lead to local privilege Escalation LPE via Insecure Directory Permissions. The vulnerability arises from improp...

Kibana 7.17.29, 8.17.8, 8.18.3, 9.0.3 Security Update (ESA-2025-09)

Kibana Heap Corruption via Crafted HTML Page due to Chromium Type Confusion ESA-2025-09 On March 10, 2025, Google announced CVE-2025-2135, which can lead to heap corruption via a crafted HTML page through a Type Confusion vulnerability. Affected Versions: Kibana versions up to and including...

Kibana 7.17.23 and 8.14.2 Security Update (ESA-2024-26)

Kibana allocation of resources without limits or throttling leads to crash ESA-2024-26 An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/logentries/summary. This can be carried out by users with read access to the...

Elasticsearch 8.13.0/7.17.23 Security Update (ESA-2024-12)

Elasticsearch elasticsearch-certutil csr fails to encrypt private key ESA-2024-12 It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new Certificate Signing Requests, the associated private key that is generated is...

Kibana 7.17.22 / 8.14.0 Security Update (ESA-2024-17)

Kibana RCE due to chromium type confusion ESA-2024-17 On March 26, 2024, a type confusion vulnerability was found in WebAssembly in Google Chrome version prior to 123.0.6312.86 which allows a remote attacker to execute arbitrary code via a crafted HTML page. Kibana includes a bundled version of...

Kibana 8.14.0 Security Update (ESA-2024-15)

Kibana Broken Access Control issue ESA-2024-15 A flaw was discovered in Kibana, allowing view-only users of alerting to use the runsoon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. Affected Versions:...

Elasticsearch 8.11.1 Security Update (ESA-2024-05)

Elasticsearch Uncaught Exception ESA-2024-05 An uncaught exception in Elasticsearch = 8.4.0 and = 8.4.0 and 8.11.1 Solutions and Mitigations: The issue is resolved in version 8.11.1. This requires the attachment processor to be enabled. Users unable to upgrade can ensure that the attachment...

APM Server 8.12.1 Security Update (ESA-2024-03)

APM Server Insertion of Sensitive Information into Log File ESA-2024-03 An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the...

Kibana 8.12.1 Security Update (ESA-2024-01)

Kibana Broken Access Control issue ESA-2024-01 An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security DLS or Field-level security FLS when querying the .alerts-security.alerts-spaceid indices. Users who are authorized to call this API...

Beats and Elastic Agent 8.11.3 / 7.17.16 Security Update (ESA-2023-30)

Beats and Elastic Agent Insertion of Sensitive Information into Log File An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the WARN or ERROR level if ingesting that event to Elasticsearch failed with any 4xx HTTP status code except 409 or...

Elasticsearch-hadoop 7.17.11 / 8.9.0 Security Update (ESA-2023-28)

Elasticsearch-hadoop Unsafe Deserialization ESA-2023-28 An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon W...

Kibana 8.10.3, 7.17.14 Security Update

Kibana heap buffer overflow vulnerability ESA-2023-19 On Sept 11, 2023, Google Chrome announced CVE-2023-4863, described as “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted...

Kibana 8.10.1 Security Update

Kibana Insertion of Sensitive Information into Log File ESA-2023-17 An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is...

Elasticsearch 8.8.2, 7.17.11 Security Update

Elasticsearch Denial of Service DoS issue ESA-2023-10 This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured. A denial of service vulnerability was discovered in Elasticsearch that could lead to the service...

Kibana 8.7.1 Security Updates (ESA-2023-07, ESA-2023-08)

Kibana arbitrary code execution ESA-2023-07 Kibana contains an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands o...

Elastic 7.17.9, 8.5.0 and 8.6.1 Security Update

Kibana authenticated Denial of Service issue ESA-2023-02 A flawCVE-2022-38900 was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to to perform a request that crashes the Kibana server process. Affected Versions: Kibana Versions 7.0.0 through 7.17.8...

Elastic Cloud Enterprise 3.1.1 Security Update

Elastic Cloud Enterprise Sensitive information disclosure issue ESA-2022-11 A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster. Affected Versions: Elastic...

Elastic Cloud Enterprise 3.4.0 Security Update

Elastic Cloud Enterprise Sensitive information disclosure issue ESA-2022-10 A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in th...

Elastic Stack 8.4.0, 7.17.6 Security Statement

Elastic Statement for Oracle July Critical Patch Update CVE-2022-21540, CVE-2022-21541, CVE-2022-21549, CVE-2022-25647, CVE-2022-34169 Summary : Oracle released their July Critical Patch Update for Java SE which contains 5 CVEs. Elastic has analyzed the flaws described by these CVEs and the...

Elastic Stack 7.17.4 and 8.2.1 Security Update

Elastic Stack update for CVE-2022-21449 Java vulnerability in Elliptic Curve Digital Signature Algorithm ECDSA ESA-2022-06 A vulnerability CVE-2022-21449 affecting the implementation of Elliptic Curve Digital Signing Algorithm ECDSA based signatures verification in Java JDK versions 15 and later...

Kibana 7.17.3 and 8.1.3 Security Update

Kibana Exposure of Sensitive Information ESA-2022-05 A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch...

Kibana 7.17.0 Security Update

Kibana Cross-site scripting issue ESA-2022-01 An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users. Affected...