Vulnerabilities > Elastic > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-09-29 | CVE-2017-8448 | Improper Privilege Management vulnerability in Elastic X-Pack An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. | 8.8 |
| 2017-06-27 | CVE-2015-5378 | Information Exposure vulnerability in multiple products Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server. | 7.5 |
| 2017-06-16 | CVE-2017-8452 | Uncontrolled File Descriptor Consumption vulnerability in Elastic Kibana Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. | 7.5 |
| 2017-06-16 | CVE-2017-8450 | Information Exposure vulnerability in Elastic X-Pack 5.1.1 X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. | 7.5 |
| 2017-06-16 | CVE-2016-10363 | Improper Resource Shutdown or Release vulnerability in Elastic Logstash Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. | 7.5 |
| 2017-06-16 | CVE-2016-1000222 | Argument Injection or Modification vulnerability in Elastic Logstash Logstash prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data. | 7.5 |
| 2017-06-16 | CVE-2016-1000221 | Information Exposure vulnerability in Elastic Logstash Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. | 7.5 |
| 2017-06-16 | CVE-2016-1000219 | Improper Authorization vulnerability in Elastic Kibana Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. | 7.5 |
| 2017-06-16 | CVE-2016-1000218 | Cross-Site Request Forgery (CSRF) vulnerability in Elastic Kibana Reporting 2.4.0 Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. | 8.8 |
| 2017-06-05 | CVE-2017-8438 | Improper Privilege Management vulnerability in Elastic X-Pack Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. | 8.8 |