Filtered by vendor Elastic Subscriptions
Total 155 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-1000219 2 Elastic, Redhat 2 Kibana, Openshift 2024-11-21 N/A
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
CVE-2016-1000218 1 Elastic 1 Kibana Reporting 2024-11-21 N/A
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.
CVE-2015-9056 1 Elastic 1 Kibana 2024-11-21 N/A
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.
CVE-2015-8131 1 Elastic 1 Kibana 2024-11-21 N/A
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
CVE-2015-5619 2 Elastic, Elasticsearch 2 Logstash, Logstash 2024-11-21 N/A
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.
CVE-2015-5378 2 Elastic, Elasticsearch 2 Logstash, Logstash 2024-11-21 N/A
Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.
CVE-2015-5377 1 Elastic 1 Elasticsearch 2024-11-21 N/A
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability
CVE-2015-4152 1 Elastic 1 Logstash 2024-11-21 N/A
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option.
CVE-2015-4093 1 Elastic 1 Kibana 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-1427 2 Elastic, Redhat 4 Elasticsearch, Fuse, Jboss Amq and 1 more 2024-11-21 9.8 Critical
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CVE-2014-4326 1 Elastic 1 Logstash 2024-11-21 N/A
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.
CVE-2024-37285 1 Elastic 1 Kibana 2024-11-15 9.1 Critical
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv  and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html  assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token
CVE-2024-37288 1 Elastic 1 Kibana 2024-09-17 9.9 Critical
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html  and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html .
CVE-2024-37286 1 Elastic 1 Apm Server 2024-09-11 5.7 Medium
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged.
CVE-2024-37287 1 Elastic 1 Kibana 2024-08-22 9.1 Critical
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution.