MidnightBSD

Advisories for elasticsearch

CVE-2014-3120 MEDIUM

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,CWE-284,

Products Affected

Vendor Product Version
elasticsearch elasticsearch *
CVE-2014-6439 MEDIUM

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elasticsearch elasticsearch *
CVE-2015-3337 MEDIUM

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
elasticsearch elasticsearch 1.5.0
elasticsearch elasticsearch *
elasticsearch elasticsearch 1.5.1
CVE-2015-4165 MEDIUM

The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application can read and execute from, allows remote authenticated users to write to and create arbitrary snapshot metadata files, and potentially execute arbitrary code.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
elasticsearch elasticsearch 1.5.2
CVE-2015-5378 MEDIUM

Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
elastic logstash 1.4.2
elasticsearch logstash 1.5.1
elasticsearch logstash 1.5.0
elasticsearch logstash 1.5.2
elastic logstash 1.4.1
elasticsearch logstash 1.4.3
elastic logstash 1.4.0
CVE-2015-5531 MEDIUM

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
elasticsearch elasticsearch *
CVE-2015-5619 MEDIUM

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
elasticsearch logstash 1.5.3
elastic logstash 1.4.2
elasticsearch logstash 1.5.1
elasticsearch logstash 1.5.0
elasticsearch logstash 1.5.2
elastic logstash 1.4.1
elasticsearch logstash 1.4.4
elasticsearch logstash 1.4.3
elastic logstash 1.4.0
CVE-2016-10362 MEDIUM

Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,CWE-200,

Products Affected

Vendor Product Version
elasticsearch output_plugin *
CVE-2017-11479 MEDIUM

Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
elastic kibana 5.3.0
elastic kibana 5.0.1
elastic kibana 5.3.3
elastic kibana 5.4.2
elastic kibana 5.4.0
elasticsearch kibana 5.1.0
elastic kibana 5.4.3
elastic kibana 5.6.0
elastic kibana 5.0.2
elastic kibana 5.3.1
elastic kibana 5.2.1
elastic kibana 5.5.1
elastic kibana 5.4.1
elastic kibana 5.1.1
elastic kibana 5.2.0
elastic kibana 5.3.2
elastic kibana 5.1.2
elastic kibana 5.5.0
elastic kibana 5.5.2
elastic kibana 5.2.2
elastic kibana 5.0.0
elastic kibana 5.5.3
CVE-2017-11480 MEDIUM

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-404,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
elasticsearch packetbeat *
CVE-2017-14730 HIGH

The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for user-writable directory trees, which allows local users to gain privileges by leveraging access to a $LS_USER account for creation of a hard link.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
elasticsearch logstash 5.6.0
elasticsearch logstash 5.0.2
elasticsearch logstash 5.1.2
elasticsearch logstash 5.2.1
elasticsearch logstash 5.4.2
elasticsearch logstash 5.4.3
elasticsearch logstash 5.3.1
elasticsearch logstash 5.5.2
elasticsearch logstash 5.5.0
elasticsearch logstash 5.1.1
elasticsearch logstash 5.3.0
elasticsearch logstash 5.5.1
elasticsearch logstash 5.3.2
elasticsearch logstash 5.0.0
elasticsearch logstash 5.0.1
elasticsearch logstash 5.4.1
elasticsearch logstash 5.2.0
CVE-2017-8444 MEDIUM

The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
elasticsearch cloud_enterprise 1.0.1
elasticsearch cloud_enterprise 1.0.0
CVE-2017-8446 MEDIUM

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,CWE-269,

Products Affected

Vendor Product Version
elasticsearch x-pack *
elasticsearch x-pack_reporting *
CVE-2020-7016 LOW

Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.

CVSS 2.0

Severity: LOW

Problem Type: CWE-185,CWE-400,

Products Affected

Vendor Product Version
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.7.0
elasticsearch kibana *
CVE-2020-7017 MEDIUM

In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L 1.2 5.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
oracle communications_billing_and_revenue_management 12.0.0.3.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_network_function_cloud_native_environment 1.7.0
elasticsearch kibana *
CVE-2025-68381

Improper Bounds Check (CWE-787) in Packetbeat can allow a remote unauthenticated attacker to exploit a Buffer Overflow (CAPEC-100) and reliably crash the application or cause significant resource exhaustion via a single crafted UDP packet with an invalid fragment sequence number.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@elastic.co 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
elasticsearch packetbeat *
CVE-2025-68382

Out-of-bounds read (CWE-125) allows an unauthenticated remote attacker to perform a buffer overflow (CAPEC-100) via the NFS protocol dissector, leading to a denial-of-service (DoS) through a reliable process crash when handling truncated XDR-encoded RPC messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@elastic.co 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
elasticsearch packetbeat *
CVE-2025-68388

Allocation of resources without limits or throttling (CWE-770) allows an unauthenticated remote attacker to cause excessive allocation (CAPEC-130) of memory and CPU via the integration of malicious IPv4 fragments, leading to a degradation in Packetbeat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@elastic.co 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
elasticsearch packetbeat *
CVE-2026-26932

Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@elastic.co 5.7 MEDIUM CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.1 3.6

Products Affected

Vendor Product Version
elasticsearch packetbeat *