5 matches found
CVE-2020-7018
Elastic Enterprise Search prior to 7.9.0 is affected by a credential exposure in the App Search interface. If a user has the developer role, they can view administrator API credentials, enabling operations with App Search administrator permissions. The issue is fixed by upgrading to Enterprise Se...
CVE-2023-49923
Elastic App Search’s Documents API logged raw indexed document contents at INFO, risking leakage of sensitive data in logs. Affected versions: Enterprise Search/App Search before 7.17.16 and before 8.11.2. Root cause: logging those contents at INFO; fix: log at DEBUG (disabled by default) in 7.17...
CVE-2021-37940
CVE-2021-37940 pertains to an information-disclosure via a GET-based server-side request forgery in the Workplace Search integration for GitHub Enterprise Server (GHES). The vulnerability allows a malicious GHES admin to leverage the Workplace Search GHES integration to view hosts that may not be...
CVE-2021-22148
Elastic Enterprise Search App Search prior to 7.14.0 is vulnerable due to API keys not being bound to the same engines as their creator, enabling a less-privileged user to access engines they should not reach. Red Hat and CVE mappings corroborate the issue. Affected product: Elastic Enterprise Se...
CVE-2021-22149
Elastic Enterprise Search App Search versions prior to 7.14.0 are affected by a missing authorization weakness for API keys via an alternate route, enabling an authenticated attacker to use API keys belonging to higher-privileged users. Root cause: API keys not properly bound/authorized in altern...