Vulnerabilities > Elastic

DATE CVE VULNERABILITY TITLE RISK
2018-03-06 CVE-2015-5377 Injection vulnerability in Elastic Elasticsearch
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol.
network
low complexity
elastic CWE-74
critical
9.8
2017-12-08 CVE-2017-11482 Open Redirect vulnerability in Elastic Kibana
The Kibana fix for CVE-2017-8451 was found to be incomplete.
network
elastic CWE-601
5.8
2017-12-08 CVE-2017-11481 Cross-site Scripting vulnerability in Elastic Kibana
Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
network
elastic CWE-79
4.3
2017-09-29 CVE-2017-8448 Improper Privilege Management vulnerability in Elastic X-Pack
An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges.
network
low complexity
elastic CWE-269
6.5
2017-09-29 CVE-2017-8447 Improper Privilege Management vulnerability in Elastic X-Pack
An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement.
network
low complexity
elastic CWE-269
5.5
2017-09-29 CVE-2017-11479 Cross-site Scripting vulnerability in multiple products
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
4.3
2017-08-18 CVE-2017-8445 Improper Certificate Validation vulnerability in Elastic X-Pack
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1.
local
low complexity
elastic CWE-295
2.1
2017-08-09 CVE-2015-5619 Improper Certificate Validation vulnerability in multiple products
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.
4.3
2017-07-07 CVE-2017-8442 Information Exposure vulnerability in Elastic X-Pack
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm.
network
low complexity
elastic CWE-200
4.0
2017-06-30 CVE-2017-8443 Information Exposure vulnerability in Elastic Kibana
In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen.
network
elastic CWE-200
4.3