Vulnerabilities > Elastic > Elasticsearch
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-03-31 | CVE-2020-7009 | Improper Privilege Management vulnerability in Elastic Elasticsearch Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. | 6.5 |
| 2019-10-30 | CVE-2019-7619 | Unspecified vulnerability in Elastic Elasticsearch Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. | 5.0 |
| 2019-07-30 | CVE-2019-7614 | Race Condition vulnerability in Elastic Elasticsearch A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. | 5.9 |
| 2019-03-25 | CVE-2019-7611 | Unspecified vulnerability in Elastic Elasticsearch A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . network elastic | 6.8 |
| 2018-12-20 | CVE-2018-17247 | XXE vulnerability in Elastic Elasticsearch 6.5.0/6.5.1 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. | 4.3 |
| 2018-12-20 | CVE-2018-17244 | Information Exposure vulnerability in Elastic Elasticsearch 6.4.0/6.4.1/6.4.2 Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. | 4.0 |
| 2018-09-19 | CVE-2018-3831 | Information Exposure vulnerability in Elastic Elasticsearch Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. | 4.0 |
| 2018-09-19 | CVE-2018-3826 | Missing Encryption of Sensitive Data vulnerability in Elastic Elasticsearch In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. | 4.0 |
| 2018-03-06 | CVE-2015-5377 | Injection vulnerability in Elastic Elasticsearch Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. | 9.8 |