Elastic

Elasticsearch

50 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 2.43%
  • Veröffentlicht 30.10.2019 14:15:11
  • Zuletzt bearbeitet 21.11.2024 04:48:24

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native ...

  • EPSS 1.01%
  • Veröffentlicht 30.07.2019 22:15:12
  • Zuletzt bearbeitet 21.11.2024 04:48:24

A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header co...

  • EPSS 2.15%
  • Veröffentlicht 25.03.2019 19:29:02
  • Zuletzt bearbeitet 21.11.2024 04:48:23

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.securi...

  • EPSS 1.38%
  • Veröffentlicht 20.12.2018 22:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:09

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a spec...

  • EPSS 1.46%
  • Veröffentlicht 20.12.2018 22:29:00
  • Zuletzt bearbeitet 21.11.2024 03:54:09

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same u...

  • EPSS 1.99%
  • Veröffentlicht 19.09.2018 19:29:01
  • Zuletzt bearbeitet 21.11.2024 04:06:07

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration informati...

  • EPSS 0.69%
  • Veröffentlicht 19.09.2018 19:29:00
  • Zuletzt bearbeitet 21.11.2024 04:06:06

In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot AP...

  • EPSS 14.86%
  • Veröffentlicht 06.03.2018 20:29:00
  • Zuletzt bearbeitet 21.11.2024 02:32:54

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability

Warnung Exploit
  • EPSS 99.91%
  • Veröffentlicht 17.02.2015 15:59:04
  • Zuletzt bearbeitet 22.04.2026 13:58:19

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

Warnung Exploit
  • EPSS 88.56%
  • Veröffentlicht 28.07.2014 19:55:04
  • Zuletzt bearbeitet 22.04.2026 14:33:20

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended se...