Filtered by vendor Elastic
Subscriptions
Total
155 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-1000219 | 2 Elastic, Redhat | 2 Kibana, Openshift | 2024-11-21 | N/A |
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. | ||||
CVE-2016-1000218 | 1 Elastic | 1 Kibana Reporting | 2024-11-21 | N/A |
Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page. | ||||
CVE-2015-9056 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A |
Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. | ||||
CVE-2015-8131 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A |
Cross-site request forgery (CSRF) vulnerability in Elasticsearch Kibana before 4.1.3 and 4.2.x before 4.2.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | ||||
CVE-2015-5619 | 2 Elastic, Elasticsearch | 2 Logstash, Logstash | 2024-11-21 | N/A |
Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack. | ||||
CVE-2015-5378 | 2 Elastic, Elasticsearch | 2 Logstash, Logstash | 2024-11-21 | N/A |
Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server. | ||||
CVE-2015-5377 | 1 Elastic | 1 Elasticsearch | 2024-11-21 | N/A |
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving the transport protocol. NOTE: ZDI appears to claim that CVE-2015-3253 and CVE-2015-5377 are the same vulnerability | ||||
CVE-2015-4152 | 1 Elastic | 1 Logstash | 2024-11-21 | N/A |
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option. | ||||
CVE-2015-4093 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A |
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||||
CVE-2015-1427 | 2 Elastic, Redhat | 4 Elasticsearch, Fuse, Jboss Amq and 1 more | 2024-11-21 | 9.8 Critical |
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script. | ||||
CVE-2014-4326 | 1 Elastic | 1 Logstash | 2024-11-21 | N/A |
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/. | ||||
CVE-2024-37285 | 1 Elastic | 1 Kibana | 2024-11-15 | 9.1 Critical |
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token | ||||
CVE-2024-37288 | 1 Elastic | 1 Kibana | 2024-09-17 | 9.9 Critical |
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | ||||
CVE-2024-37286 | 1 Elastic | 1 Apm Server | 2024-09-11 | 5.7 Medium |
APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. | ||||
CVE-2024-37287 | 1 Elastic | 1 Kibana | 2024-08-22 | 9.1 Critical |
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. |