Vulnerabilities > Elastic

DATE CVE VULNERABILITY TITLE RISK
2020-12-02 CVE-2020-27816 Open Redirect vulnerability in multiple products
The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource.
5.8
2020-10-22 CVE-2020-7020 Improper Privilege Management vulnerability in Elastic Elasticsearch
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used.
network
elastic CWE-269
3.5
2020-08-18 CVE-2020-7019 Improper Privilege Management vulnerability in Elastic Elasticsearch
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security.
network
low complexity
elastic CWE-269
4.0
2020-08-18 CVE-2020-7018 Improper Privilege Management vulnerability in Elastic Enterprise Search
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface.
network
low complexity
elastic CWE-269
4.0
2020-06-03 CVE-2020-7015 Cross-Site Scripting vulnerability in Elastic Kibana
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization.
network
elastic CWE-79
3.5
2020-06-03 CVE-2020-7014 Improper Privilege Management vulnerability in Elastic Elasticsearch
The fix for CVE-2020-7009 was found to be incomplete.
network
low complexity
elastic CWE-269
6.5
2020-06-03 CVE-2020-7013 Code Injection vulnerability in multiple products
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB.
network
low complexity
elastic redhat CWE-94
6.5
2020-06-03 CVE-2020-7012 Code Injection vulnerability in Elastic Kibana
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant.
network
low complexity
elastic CWE-94
6.5
2020-06-03 CVE-2020-7011 Cross-Site Scripting vulnerability in Elastic APP Search
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI.
network
elastic CWE-79
4.3
2020-06-03 CVE-2020-7010 Incorrect Usage of Seeds in Pseudo-Random Number Generator (Prng) vulnerability in Elastic Cloud ON Kubernetes
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator.
network
low complexity
elastic CWE-335
5.0