Elasticsearch Security Vulnerabilities and Issues — Elasticsearch CVE List

Lucene search

ElasticElasticsearch

9 matches found

CVE•added 2024/03/27 6:15 p.m.•253 views

CVE-2024-23451

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to re...

6.5CVSS4.7AI score0.00072EPSS

CVE•added 2024/07/26 5:15 a.m.•235 views

CVE-2023-49921

An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive...

6.5CVSS5.2AI score0.00492EPSS

CVE•added 2024/12/17 9:15 p.m.•218 views

CVE-2024-12539

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

6.5CVSS6.5AI score0.00076EPSS

CVE•added 2021/07/21 3:15 p.m.•201 views

CVE-2021-22145

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer...

6.5CVSS6.5AI score0.61089EPSS

CVE•added 2018/12/20 10:29 p.m.•179 views

CVE-2018-17244

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when...

6.5CVSS6.2AI score0.00657EPSS

CVE•added 2021/07/26 12:15 p.m.•146 views

CVE-2021-22144

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that wil...

6.5CVSS6.3AI score0.003EPSS

CVE•added 2021/09/15 12:15 p.m.•87 views

CVE-2021-22147

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

6.5CVSS6.1AI score0.00314EPSS

CVE•added 2020/08/18 5:15 p.m.•67 views

CVE-2020-7019

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker...

6.5CVSS6.2AI score0.00136EPSS

CVE•added 2018/09/19 7:29 p.m.•48 views

CVE-2018-3826

In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.

6.5CVSS6.2AI score0.004EPSS