Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Elasticsearch
(Elastic)| Repositories | https://github.com/elastic/elasticsearch |
| #Vulnerabilities | 38 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-09-19 | CVE-2018-3826 | In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API. | Elasticsearch | 6.5 | ||
| 2018-12-20 | CVE-2018-17247 | Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to. | Elasticsearch | 5.9 | ||
| 2018-12-20 | CVE-2018-17244 | Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to. | Elasticsearch | 6.5 |