Vulnerabilities > Elastic > Elasticsearch > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-12-17 | CVE-2024-12539 | Incorrect Authorization vulnerability in Elastic Elasticsearch 8.16.0/8.16.1 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. | 6.5 |
| 2024-07-26 | CVE-2023-49921 | Information Exposure Through Log Files vulnerability in Elastic Elasticsearch An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. | 6.5 |
| 2024-06-13 | CVE-2024-37280 | Out-of-bounds Write vulnerability in Elastic Elasticsearch A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. | 4.9 |
| 2024-03-29 | CVE-2024-23449 | Unspecified vulnerability in Elastic Elasticsearch An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. | 5.3 |
| 2024-03-27 | CVE-2024-23451 | Incorrect Authorization vulnerability in Elastic Elasticsearch Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. | 6.5 |
| 2023-10-26 | CVE-2023-31417 | Information Exposure Through Log Files vulnerability in Elastic Elasticsearch Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. | 4.4 |
| 2022-03-03 | CVE-2022-23708 | Unspecified vulnerability in Elastic Elasticsearch A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. | 4.3 |
| 2021-09-15 | CVE-2021-22147 | Missing Authorization vulnerability in Elastic Elasticsearch Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. | 6.5 |
| 2021-07-26 | CVE-2021-22144 | Uncontrolled Recursion vulnerability in multiple products In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. | 6.5 |
| 2021-07-21 | CVE-2021-22145 | Information Exposure Through an Error Message vulnerability in multiple products A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. | 6.5 |