Vulnerabilities > Elasticsearch > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-07-27 CVE-2020-7017 Cross-site Scripting vulnerability in multiple products
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw.
network
high complexity
elasticsearch oracle CWE-79
6.7
2020-07-27 CVE-2020-7016 Resource Exhaustion vulnerability in multiple products
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion.
network
high complexity
elasticsearch oracle CWE-400
4.8
2017-09-29 CVE-2017-8444 Unspecified vulnerability in Elasticsearch Cloud Enterprise 1.0.0/1.0.1
The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper.
network
high complexity
elasticsearch
5.9
2017-09-29 CVE-2017-11479 Cross-site Scripting vulnerability in multiple products
Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
network
low complexity
elasticsearch elastic CWE-79
6.1
2017-08-18 CVE-2017-8446 Improper Privilege Management vulnerability in Elasticsearch X-Pack and X-Pack Reporting
The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability.
network
low complexity
elasticsearch CWE-269
5.3
2017-08-09 CVE-2015-5619 Improper Certificate Validation vulnerability in multiple products
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.
network
high complexity
elasticsearch elastic CWE-295
5.9
2017-06-16 CVE-2016-10362 Information Exposure vulnerability in Elasticsearch Output Plugin 2.3.3/5.0.0
Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.
network
low complexity
elasticsearch CWE-200
6.5