CVE-2025-37729

EPSS 0.06%
Veröffentlicht 13.10.2025 13:47:08
Zuletzt bearbeitet 11.12.2025 20:59:06
Quelle security@elastic.co
CVE-Watchlists
Login
Unerledigt
Login

Elastic Cloud Enterprise (ECE) Improper Neutralization of Special Elements Used in a Template Engine

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Elastic ≫ Elastic Cloud Enterprise Version >= 2.5.0 < 3.8.2

Elastic ≫ Elastic Cloud Enterprise Version >= 4.0.0 < 4.0.2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.185

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@elastic.co	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-3-8-2-and-4-0-2-security-update-esa-2025-21/382641

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-37729

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-37729

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-37729

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-37729