Filtered by vendor Elastic
Subscriptions
Total
155 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-46666 | 1 Elastic | 1 Elastic Sharepoint Online Python Connector | 2024-11-21 | 5.3 Medium |
An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch. | ||||
CVE-2023-31422 | 1 Elastic | 1 Kibana | 2024-11-21 | 9 Critical |
An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users. | ||||
CVE-2023-31421 | 1 Elastic | 4 Apm Server, Elastic Agent, Elastic Beats and 1 more | 2024-11-21 | 5.9 Medium |
It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected. | ||||
CVE-2023-31419 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 6.5 Medium |
A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. | ||||
CVE-2023-31418 | 1 Elastic | 2 Elastic Cloud Enterprise, Elasticsearch | 2024-11-21 | 7.5 High |
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild. | ||||
CVE-2023-31417 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 4.1 Medium |
Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that could contain sensitive information are not printed to the audit log unless explicitly configured. | ||||
CVE-2023-31416 | 1 Elastic | 2 Apm Server, Elastic Cloud On Kubernetes | 2024-11-21 | 5.3 Medium |
Secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0. This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment. | ||||
CVE-2023-31415 | 1 Elastic | 1 Kibana | 2024-11-21 | 8.8 High |
Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | ||||
CVE-2023-31414 | 1 Elastic | 1 Kibana | 2024-11-21 | 8.8 High |
Kibana versions 8.0.0 through 8.7.0 contain an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. | ||||
CVE-2023-31413 | 1 Elastic | 1 Filebeat | 2024-11-21 | 3.3 Low |
Filebeat versions through 7.17.9 and 8.6.2 have a flaw in httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled. | ||||
CVE-2022-38779 | 1 Elastic | 1 Kibana | 2024-11-21 | 6.1 Medium |
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. | ||||
CVE-2022-38778 | 2 Decode-uri-component Project, Elastic | 2 Decode-uri-component, Kibana | 2024-11-21 | 6.5 Medium |
A flaw (CVE-2022-38900) was discovered in one of Kibana’s third party dependencies, that could allow an authenticated user to perform a request that crashes the Kibana server process. | ||||
CVE-2022-38777 | 2 Elastic, Microsoft | 3 Endgame, Endpoint Security, Windows | 2024-11-21 | 7.8 High |
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | ||||
CVE-2022-38775 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2024-11-21 | 7.8 High |
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | ||||
CVE-2022-38774 | 2 Elastic, Microsoft | 3 Endgame, Endpoint Security, Windows | 2024-11-21 | 7.8 High |
An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | ||||
CVE-2022-23716 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 5.3 Medium |
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster. | ||||
CVE-2022-23715 | 1 Elastic | 1 Elastic Cloud Enterprise | 2024-11-21 | 6.5 Medium |
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore | ||||
CVE-2022-23714 | 2 Elastic, Microsoft | 2 Endpoint Security, Windows | 2024-11-21 | 7.8 High |
A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. | ||||
CVE-2022-23713 | 1 Elastic | 1 Kibana | 2024-11-21 | 6.1 Medium |
A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. | ||||
CVE-2022-23712 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | 7.5 High |
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. |