Vulnerabilities > Elastic > Critical

DATE CVE VULNERABILITY TITLE RISK
2023-10-26 CVE-2023-46668 Information Exposure Through Log Files vulnerability in Elastic Endpoint 7.9.0/8.10.3
If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext.
network
low complexity
elastic CWE-532
critical
 9.1
9.1
2019-03-25 CVE-2019-7612 Information Exposure Through Log Files vulnerability in multiple products
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs.
network
low complexity
elastic netapp CWE-532
critical
 9.8
9.8
2019-03-25 CVE-2019-7610 Command Injection vulnerability in Elastic Kibana
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger.
network
high complexity
elastic CWE-77
critical
 9.0
9.0
2019-03-25 CVE-2019-7609 Code Injection vulnerability in multiple products
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.
network
low complexity
elastic redhat CWE-94
critical
 10.0
10
2018-12-20 CVE-2018-17246 Inclusion of Functionality from Untrusted Control Sphere vulnerability in multiple products
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin.
network
low complexity
elastic redhat CWE-829
critical
 9.8
9.8
2018-12-20 CVE-2018-17245 Insufficiently Protected Credentials vulnerability in Elastic Kibana
Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports.
network
low complexity
elastic CWE-522
critical
 9.8
9.8
2018-03-30 CVE-2018-3822 Path Traversal vulnerability in Elastic X-Pack 6.2.0/6.2.1/6.2.2
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal.
network
low complexity
elastic CWE-22
critical
 9.8
9.8
2018-03-06 CVE-2015-5377 Injection vulnerability in Elastic Elasticsearch
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol.
network
low complexity
elastic CWE-74
critical
 9.8
9.8
2015-02-17 CVE-2015-1427 The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
network
low complexity
elastic redhat
critical
 9.8
9.8