Filtered by vendor Elastic Subscriptions
Total 155 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-7010 1 Elastic 1 Elastic Cloud On Kubernetes 2024-11-21 7.5 High
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.
CVE-2020-7009 1 Elastic 1 Elasticsearch 2024-11-21 8.8 High
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
CVE-2020-27816 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-11-21 6.1 Medium
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift-logging console link damage. This flaw affects elasticsearch-operator-container versions before 4.7.
CVE-2020-10743 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-11-21 4.3 Medium
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, such as clickjacking.
CVE-2019-7621 1 Elastic 1 Kibana 2024-11-21 5.4 Medium
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim�s browser.
CVE-2019-7620 1 Elastic 1 Logstash 2024-11-21 7.5 High
Logstash versions before 7.4.1 and 6.8.4 contain a denial of service flaw in the Logstash Beats input plugin. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.
CVE-2019-7619 1 Elastic 1 Elasticsearch 2024-11-21 5.3 Medium
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
CVE-2019-7618 1 Elastic 1 Kibana 2024-11-21 6.5 Medium
A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
CVE-2019-7617 1 Elastic 1 Apm Agent 2024-11-21 N/A
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.
CVE-2019-7616 1 Elastic 1 Kibana 2024-11-21 4.9 Medium
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.
CVE-2019-7615 1 Elastic 1 Apm-agent-ruby 2024-11-21 7.4 High
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
CVE-2019-7614 1 Elastic 1 Elasticsearch 2024-11-21 5.9 Medium
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
CVE-2019-7613 1 Elastic 1 Winlogbeat 2024-11-21 7.5 High
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
CVE-2019-7612 2 Elastic, Netapp 2 Logstash, Active Iq Performance Analytics Services 2024-11-21 9.8 Critical
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
CVE-2019-7611 2 Elastic, Redhat 3 Elasticsearch, Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform 2024-11-21 8.1 High
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
CVE-2019-7610 2 Elastic, Redhat 2 Kibana, Openshift 2024-11-21 N/A
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
CVE-2019-7609 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-11-21 10.0 Critical
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
CVE-2019-7608 2 Elastic, Redhat 2 Kibana, Openshift 2024-11-21 N/A
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
CVE-2018-3831 2 Elastic, Redhat 2 Elasticsearch, Jboss Fuse 2024-11-21 8.8 High
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
CVE-2018-3830 2 Elastic, Redhat 3 Kibana, Openshift, Openshift Container Platform 2024-11-21 6.1 Medium
Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.