CVE-2019-7619
- EPSS 2.43%
- Veröffentlicht 30.10.2019 14:15:11
- Zuletzt bearbeitet 21.11.2024 04:48:24
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native ...
CVE-2019-7614
- EPSS 1.01%
- Veröffentlicht 30.07.2019 22:15:12
- Zuletzt bearbeitet 21.11.2024 04:48:24
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header co...
CVE-2019-7611
- EPSS 2.15%
- Veröffentlicht 25.03.2019 19:29:02
- Zuletzt bearbeitet 21.11.2024 04:48:23
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.securi...
CVE-2018-17247
- EPSS 1.38%
- Veröffentlicht 20.12.2018 22:29:00
- Zuletzt bearbeitet 21.11.2024 03:54:09
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a spec...
CVE-2018-17244
- EPSS 1.46%
- Veröffentlicht 20.12.2018 22:29:00
- Zuletzt bearbeitet 21.11.2024 03:54:09
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same u...
CVE-2018-3831
- EPSS 1.99%
- Veröffentlicht 19.09.2018 19:29:01
- Zuletzt bearbeitet 21.11.2024 04:06:07
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration informati...
CVE-2018-3826
- EPSS 0.69%
- Veröffentlicht 19.09.2018 19:29:00
- Zuletzt bearbeitet 21.11.2024 04:06:06
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot AP...
CVE-2015-5377
- EPSS 14.86%
- Veröffentlicht 06.03.2018 20:29:00
- Zuletzt bearbeitet 21.11.2024 02:32:54
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
CVE-2015-1427
- EPSS 99.91%
- Veröffentlicht 17.02.2015 15:59:04
- Zuletzt bearbeitet 22.04.2026 13:58:19
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CVE-2014-3120
- EPSS 88.56%
- Veröffentlicht 28.07.2014 19:55:04
- Zuletzt bearbeitet 22.04.2026 14:33:20
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended se...