Security issues

Responsible Vulnerability Disclosure

Elastic appreciates our partnership with the security community and shares the goal of keeping our users and the internet safe. Please report potential security vulnerabilities affecting any of Elastic's products, the Elastic Cloud Service, or the elastic.co website via our HackerOne bug bounty program. For detailed scope and rules of engagement please refer to our HackerOne program policy

Under the principles of Coordinated Vulnerability Disclosure, Elastic analyzes potential security vulnerabilities to identify any recommended mitigations or product updates and coordinates disclosures via Elastic Security Advisories (ESA) and the CVE program. Elastic requests that you do not post or share any information about potential vulnerabilities in any public forum until we have researched and responded to the issue.

Other security issues

Users and customers may report any other potential security issues to security@elastic.co. This address can be used for product security related inquiries or requests about other security topics that are not explicitly mentioned here. We can accept only security issues at this address. Bug reports should be directed to the bug database of the project you're reporting it on or raised to Elastic Support.  

If you would like to encrypt your message to us, please use our PGP key. The fingerprint is

1224 D1A5 72A7 3755 B61A 377B 14D6 5EE0 D2AE 61D2

The key is available via keyservers; search for 'security@elastic.co'. Example on OpenPGP

Elastic Security Advisories

An Elastic Security Advisory (ESA) is a notice from Elastic to its users of security issues with the Elastic products. Elastic assigns both a CVE and an ESA identifier to each advisory along with a summary and remediation and mitigation details. All new advisories are announced in the Security Announcements forum. These announcements may be tracked via an RSS feed.



Published Security Advisories

Logstash

ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2023-26CVE-2023-466722023-11-15An issue was identified by Elastic whereby sensitive information is recorded in Logstash logs under specific circumstances.

The prerequisites for the manifestation of this issue are:

  • Logstash is configured to log in JSON format, which is not the default logging format.
  • Sensitive data is stored in the Logstash keystore and referenced as a variable in Logstash configuration.

Users should upgrade to version 8.11.1.
ESA-2021-31CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-448322021-12-10See ESA-2021-31, Apache Log4j2Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1.
ESA-2021-09
CVE-2021-221382021-03-23
A TLS certificate validation flaw was found in the monitoring feature of Logstash versions 6.4.0 and before versions 6.8.15 and 7.12.0. When specifying a trusted server CA certificate Logstash would not properly verify the certificate returned by the monitoring server. This could result in a man in the middle style attack against the Logstash monitoring data.
Users should update their version of Logstash to 7.12.0 or 6.8.15.
ESA-2019-14
CVE-2019-76202019-10-22
A denial of service flaw was found in the Logstash beats input plugin before versions 6.8.4 and 7.4.1. An unauthenticated user who is able to connect to the port the Logstash beats input could send a specially crafted network packet that would cause Logstash to stop responding.

If you are not using the Beats input plugin with Logstash you are not vulnerable to this issue.

Thanks to Dennis Detering, IT security consultant at Spike Reply for reporting this issue.

Users should upgrade to Logstash version 7.4.1 or 6.8.4.
ESA-2019-05
CVE-2019-76122019-02-19
A sensitive data disclosure flaw was found in the way Logstash logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as part of the error message.
Users should upgrade to Logstash version 6.6.1 or 5.6.15
ESA-2018-01
CVE-2018-38172018-01-16
When logging warnings regarding deprecated settings, Logstash could inadvertently log sensitive information.
Users should upgrade to Logstash version 6.1.2 or 5.6.6. If you are unable to upgrade you should review your settings to ensure no deprecated settings are used in your environment.
ESA-2017-05
CVE-2017-56452017-04-20
The version of Apache Log4j used in Logstash was vulnerable to an object deserialization flaw. This flaw could result in remote code execution by an attacker able to send arbitrary data to a Logstash Log4j plugin.
Users that currently use Logstash Log4j input plugin should upgrade the logstash-input-log4j plugin to version 3.0.5
ESA-2016-08
CVE-2016-103622016-11-15
Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials.
Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-06
CVE-2016-103632016-09-22
In Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit.
Users that currently use Logstash's netflow codec plugin or may want to use it in the future should upgrade to 2.3.3 or later versions.
ESA-2016-02
CVE-2016-10002212016-07-07
Prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information.
Users who secure communication from Logstash to Elasticsearch via Basic Authorization using Elastic Shield or other systems are advised to upgrade to this version.
ESA-2016-01
CVE-2016-10002222016-02-02
Prior to version 2.1.2, the CSV output can be attacked via engineered input that will create malicious formulas in the CSV data.
Users that currently use Logstash CSV output plugin or may want to use it in the future should upgrade to 2.2.0 or 2.1.2.
ESA-2015-09
CVE-2015-56192015-07-22
All Logstash versions prior to 1.5.3 that use Lumberjack output is vulnerable to this man in the middle attack. Please note that Logstash Forwarder is not affected by this.
Users should upgrade to 1.5.4 or 1.4.5. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack output.
ESA-2015-07
CVE-2015-53782015-06-30
All Logstash versions prior to 1.5.2 that use Lumberjack input (in combination with Logstash Forwarder agent) are vulnerable to a SSL/TLS security issue called the FREAK attack. This allows an attacker to intercept communication and access secure data.
Users should upgrade to 1.5.3 or 1.4.4. Users that do not want to upgrade can address the vulnerability by disabling the Lumberjack input.
ESA-2015-04
CVE-2015-41522015-06-09
All Logstash versions prior to 1.4.3 that use the file output plugin are vulnerable to a directory traversal attack that allows an attacker to write files as the Logstash user.
Users should upgrade to 1.4.3 or 1.5.0 Users that do not want to upgrade can address the vulnerability by disabling the file output plugin.
ESA-2014-02
CVE-2014-43262014-06-24
Logstash 1.4.1 and prior, when configured to use the Zabbix or Nagios outputs, allows an attacker with access to send crafted events to Logstash inputs to cause Logstash to execute OS commands.
Upgrade to Logstash 1.4.2 or later, or disable the Zabbix and Nagios outputs.

Elasticsearch

ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2023-24CVE-2023-466732023-11-22It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.

The issue is resolved in versions 8.10.3 and 7.17.14.
ESA-2023-13CVE-2023-314182023-09-22An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.

Users should upgrade to Elasticsearch version 7.17.13 and 8.9.0 and higher. 

Users should upgrade to Elastic Cloud Enterprise version 2.13.4 and 3.6.1

ESA-2023-14CVE-2023-314192023-09-18

A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service.

The issue is resolved in version 7.17.13 and 8.9.1
ESA-2023-12CVE-2023-314172023-09-06

Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled.

The _xpack/security APIs have been deprecated in Elasticsearch 7.x and were entirely removed in 8.0.0 and later. The only way for a client to use them in Elasticsearch 8.0.0 and later is to provide the Accept: application/json; compatible-with=7 header. Elasticsearch official clients do not use these deprecated APIs.

The list of affected, deprecated APIs, is the following

POST /_xpack/security/user/{username}

PUT /_xpack/security/user/{username}

PUT /_xpack/security/user/{username}/_password

POST /_xpack/security/user/{username}/_password

PUT /_xpack/security/user/_password

POST /_xpack/security/user/_password

POST /_xpack/security/oauth2/token

DELETE /_xpack/security/oauth2/token

POST /_xpack/security/saml/authenticate

Affected Versions:

Elasticsearch versions from 7.0.0 up to 7.17.12 and from 8.0.0 up to 8.9.1

The issue is resolved in version 7.17.13 and 8.9.2
ESA-2023-10CVE-2023-13702023-06-29This issue only affects users that have at least one OpenID Connect authentication realm or at least one JWT authentication realm configured.
A denial of service vulnerability was discovered in Elasticsearch that could lead to the service becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way.
Affected Versions: After 7.2.0 and before 7.17.11, and versions after 8.0.0 and before 8.8.2
The issue is resolved in versions 8.8.2 and 7.17.11

ESA-2022-07

CVE-2022-23712

2022-06-06

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.

Affected Versions: Elasticsearch 8.0.0 to 8.2.0
The issue is resolved in 8.2.1
ESA-2022-06CVE-2022-214492022-05-24Elasticsearch 6.8.x, 7.9.2 and later may be affected by this vulnerability when Java JDK 15 or later is used with certain SSO configurations. Elasticsearch 8.2.1 and 7.17.4 are packaged with OpenJDK 18.0.1 which resolves this issue. See for details. 
ESA-2022-02CVE-2022-237082022-02-28A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.

Affected Versions: 7.16 through 7.17.0
Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.
ESA-2021-31

CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

2021-12-10

See ESA-2021-31, Apache Log4j2

Elasticsearch, Logstash 7.16.3 and 6.8.23 are released, which upgrade log4j to 2.17.1.

ESA-2021-25

CVE-2021-37937

2021-09-01

An issue was found with how API keys are created with the fleet-server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised fleet-server service account could escalate themselves to a super-user.

Users should upgrade to Elasticsearch version 7.14.1

ESA-2021-18

CVE-2021-22147

2021-08-03

A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Users who are using document or field level security with searchable snapshots should upgrade to version 7.14.0

ESA-2021-16

CVE-2021-22145

2021-07-20

A memory disclosure vulnerability was identified in Elasticsearch’s error reporting. A user with

the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that

would result in an error message returned containing previously used portions of a data buffer.

This buffer could contain sensitive information such as Elasticsearch documents or

authentication details.

Thanks to Eric Howard (Bell Canada) for reporting this issue.

Affected users should update their version of Elasticsearch to 7.13.4. There is no known

workaround for this issue.

ESA-2021-15

CVE-2021-22144

2021-07-07

An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

Users should update their version of Elasticsearch to 7.13.3 or 6.8.17

ESA-2021-06
CVE-2021-221352021-03-23
In Elasticsearch versions before 7.11.2 and 6.8.15 document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
Anyone using both Document and Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.
ESA-2021-08
CVE-2021-221372021-03-23
A document disclosure flaw was found in Elasticsearch versions before 6.8.15 and 7.11.2 when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Thanks to Piotr Dłubisz, Security Consultant at JN Data A/S for reporting this issue.
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.2 or 6.8.15. There is no known workaround for this flaw.
ESA-2021-05
CVE-2021-221342021-03-01
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.11.0. There is no known workaround for this flaw.
ESA-2021-03
CVE-2020-70212021-02-10
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Anyone using audit logging with the xpack.security.audit.logfile.events.emit_request_body enabled should upgrade to Elasticsearch version 7.10.0 or 6.8.14. This issue can be worked around by disabling the emit_request_body option in the elasticsearch.yml file.
ESA-2021-01
CVE-2021-221322021-01-14
An information disclosure flaw was found in the Elasticsearch async search API. Users who execute an async search will store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster.

All Elasticsearch versions starting with 7.7.0 and before 7.10.2 are affected by this issue.
Users should upgrade to Elasticsearch 7.10.2. There is no known workaround for this issue.
ESA-2020-13
CVE-2020-70202020-10-22
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Thanks to Robert Coe, CTO at AcuityMD for reporting this issue.

Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.9.2 or 6.8.13. There is no known workaround for this flaw.
ESA-2020-12
CVE-2020-70192020-08-18
A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Users should upgrade to Elasticsearch version 7.9.0 or 6.8.12.
ESA-2020-07
CVE-2020-70142020-06-03
The fix for ESA-2020-02 (CVE-2020-7009) was found to be incomplete.

Elasticsearch versions from 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.
Users should upgrade to Elasticsearch version 7.7.0 or 6.8.9. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.
ESA-2020-02
CVE-2020-70092020-03-31
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
Users should upgrade to Elasticsearch version 7.6.2 or 6.8.8. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting ‘xpack.security.authc.api_key.enabled’ to false in the elasticsearch.yml file.

Additional details about this change can be found here:

ESA-2019-13
CVE-2019-76192019-10-22
A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

The following Elasticsearch versions are affected by this flaw: 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2
6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3

Users should upgrade to Elasticsearch version 7.4.0 or 6.8.4. If users cannot upgrade, the API key service can be disabled by setting ‘xpack.security.authc.api_key.enabled’ to false in the Elasticsearch configuration file.
ESA-2019-07
CVE-2019-76142019-07-30
A race condition flaw was found in the response headers Elasticsearch returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. There is no workaround for this issue.
ESA-2019-04
CVE-2019-76112019-02-19
A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Users should upgrade to Elasticsearch version 6.6.1 or 5.6.15. Users unable to upgrade can change the xpack.security.dls_fls.enabled setting to true in their elasticsearch.yml file. The default setting for this option is true.
ESA-2018-19
CVE-2018-172472018-12-05
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s find_file_structure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail.
Affected users should upgrade to Elasticsearch version 6.5.2.
ESA-2018-16
CVE-2018-172442018-11-06
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Users should upgrade to Elasticsearch version 6.4.3.
If upgrading is not possible setting the realm’s cache.ttl option to 0 will prevent caching any user data. This will mitigate this issue but will slow requests considerably.
ESA-2018-15
CVE-2018-38312018-09-18
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Users should upgrade to Elasticsearch version 6.4.1 or 5.6.12. There are no known workarounds for this issue.
ESA-2018-10
CVE-2018-38262018-06-13
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Although it is advised in the 6.X _snapshot API documentation to define the access_key and security_key parameters in the keystore, it is still possible to define them outside of the keystore using the API.
All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the _snapshot API from returning the access_key and security_key parameters in plain text.
ESA-2018-11
CVE-2018-38272018-06-13
A sensitive data disclosure flaw was found in the Elasticsearch repository-azure (formerly elasticsearch-cloud-azure) plugin. When the repository-azure plugin is set to log at TRACE level Azure credentials can be inadvertently logged.
All users of Elasticsearch should upgrade to version 6.3.0. This update will prevent the repository-azure plugin to expose Azure credentials in Elasticsearch logs.
ESA-2018-07
CVE-2018-38222018-03-20
X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw.
Users should upgrade to Elasticsearch version 6.2.3.
ESA-2017-19
CVE-2017-84482017-09-18
An error was found in the permission model used by X-Pack alerting whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. 
Deployments of the Elastic Stack that utilize X-Pack alerting should be upgraded to version 5.6.1 to fix the privilege escalation issue.
Users mapped to the built-in "watcher_admin" or "machine_learning_admin" roles, or any other role to which the "manage_ml" or "manage_watcher" cluster privilege has been assigned, should be reviewed and granted only to personnel with appropriate trust levels to read and write all indices.
ESA-2017-18
CVE-2017-84472017-09-11
An error was found in the X-Pack Security privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.
X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the 'delete' and 'index' permission from untrusted users.
ESA-2017-15
CVE-2017-84452017-08-17
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates.
X-Pack Security users should upgrade to version 5.5.2. Please note this attack cannot be triggered remotely. The most likely scenario would be local system corruption. Even though crossing a trust boundary cannot be forced by an attacker, we consider a security feature failing in this manner to be a flaw.
ESA-2017-10
CVE-2017-84422017-07-06
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details.
All users of X-Pack security should upgrade to version 5.5.0. This update will prevent the _nodes API from returning sensitive settings. If you cannot upgrade any sensitive settings can be hidden by using the X-Pack hide_settings configuration .
ESA-2017-09
CVE-2017-84412017-06-01
X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.
All users of X-Pack security should upgrade to version 5.3.3 or 5.4.1. If you cannot upgrade on an index will mitigate this bug.
ESA-2017-06
CVE-2017-84382017-06-01
X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.
User currently using run_as functionality should upgrade to X-Pack Security 5.4.1
ESA-2017-03
CVE-2017-84492017-03-28
When merging multiple rules with field level security rules for the same index, X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules.

ESA-2017-01
CVE-2017-84502017-01-23
In some cases, X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information.
Users should upgrade to v5.1.2 or above, or restrict access to the multi-search and multi-get APIs.
ESA-2015-08
CVE-2015-55312015-07-16
Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.
Users should upgrade to 1.6.1 or later, or constrain access to the snapshot API to trusted sources.
ESA-2015-06
CVE-2015-53772015-07-16
Elasticsearch versions prior to 1.6.1 are vulnerable to an attack that can result in remote code execution.
Users should upgrade to 1.6.1 or 1.7.0. Alternately, ensure that only trusted applications have access to the transport protocol port.
ESA-2015-05
CVE-2015-41652015-04-27
All Elasticsearch versions from 1.0.0 to 1.5.2 are vulnerable to an attack that uses Elasticsearch to modify files read and executed by certain other applications.
Users should upgrade to 1.6.0. Alternately, ensure that other applications are not present on the system, or that Elasticsearch cannot write into areas where these applications would read.
ESA-2015-02
CVE-2015-33372015-04-27
All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.
Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.
ESA-2015-01
CVE-2015-14272015-02-11
Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine that were introduced in 1.3.0. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.
Users should upgrade to 1.3.8 or 1.4.3. Users that do not want to upgrade can address the vulnerability by setting script.groovy.sandbox.enabled to false in elasticsearch.yml and restarting the node.
ESA-2014-03
CVE-2014-64392014-11-05
Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.
Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.
ESA-2014-01
CVE-2014-31202014-05-22
In Elasticsearch versions 1.1.x and prior, dynamic scripting is enabled by default. This could allow an attacker to execute OS commands.
Disable dynamic scripting.

Elasticsearch-Hadoop

ESA IDCVEDate DisclosedVulnerability SummaryRemediation Summary
ESA-2023-28CVE-2023-466742023-12-05An issue was identified that allowed the unsafe deserialization of java objects from hadoop or spark configuration properties that could have been modified by authenticated users. Elastic would like to thank Yakov Shafranovich, with Amazon Web Services for reporting this issue.The issue is resolved in versions 7.17.11 and 8.9.0.

Kibana

ESA IDCVEDate DisclosedVulnerability SummaryRemediation Summary
ESA-2024-04CVE-2023-70242024-06-02

On Dec 21, 2023, Google Chrome announced CVE-2023-7024, described as “Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability.

This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian, RHEL).

This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.

This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).

Affected Versions:

Kibana versions up to 7.17.17 and up to version 8.12.0.



The issue is resolved in version 8.12.1 or version 7.17.18

If you are unable to upgrade, you can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: xpack.reporting.enabled: false

ESA-2024-01CVE-2024-234462024-06-02

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. 

This issue only affects users that have assigned a role with DLS or FLS configured, users using KPI or group by feature on the alerts page or API users accessing the route directly.

Affected Versions:

Kibana 8.x versions prior to 8.12.1

The issue is resolved in version 8.12.1

ESA-2023-27CVE-2023-466752023-12-12An issue was discovered by Elastic whereby sensitive information may be recorded in Kibana logs in the event of an error or in the event where debug level logging is enabled in Kibana. Elastic has released Kibana 8.11.2 which resolves this issue. The messages recorded in the log may contain Account credentials for the kibana_system user, API Keys, and credentials of Kibana end-users, Elastic Security package policy objects which can contain private keys, bearer token, and sessions of 3rd-party integrations and finally Authorization headers, client secrets, local file paths, and stack traces. The issue may occur in any Kibana instance running an affected version that could potentially receive an unexpected error when communicating to Elasticsearch causing it to include sensitive data into Kibana error logs. It could also occur under specific circumstances when debug level logging is enabled in Kibana. Note: It was found that the fix for ESA-2023-25 in Kibana 8.11.1 for a similar issue was incomplete.

Affected Versions:

Kibana versions on or after 7.13.0 and before 7.17.16.

Kibana versions on or after 8.0.0 and before 8.11.2.

The issue is resolved in Kibana 8.11.2 and 7.17.16

The following mitigations have been implemented in Elastic Cloud:

We have purged sensitive data that was logged from our monitoring environment.

We have adjusted the rulesets of our redaction solution so that no new instances of sensitive information are logged in our monitoring environment and in customer’s monitoring clusters.

For Elastic Cloud customers with self-managed monitoring clusters, affected logs should be reviewed for any potentially sensitive data and if deemed necessary, follow up actions such as purging sensitive data from logs and rotating any potentially exposed credentials should be performed.

As additional mitigation, Elastic Cloud customers on affected versions of Kibana are advised to upgrade to 8.11.3.

Please see ESA-2023-27 for more information.

ESA-2023-25CVE-2023-466712023-11-14An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. Elastic has released Kibana 8.11.1 which resolves this issue. The error message recorded in the log may contain account credentials for the kibana_system 1 user, API Keys, and credentials of Kibana end-users.

Affected Versions
Kibana versions on or after 8.0.0 and before 8.11.1.
The issue is resolved in Kibana 8.11.1.

The following mitigations have been implemented in Elastic Cloud:

  • We have purged sensitive data that was logged from our monitoring environment.
  • We have deployed and are currently fortifying a redaction solution so that no new instances of sensitive information are logged in our monitoring environment and in customer’s monitoring clusters.

For Elastic Cloud customers with self-managed monitoring clusters, affected logs should be reviewed for any potential sensitive data and if deemed necessary, follow up actions such as purging sensitive data from logs and rotating any potentially exposed credentials should be performed.

As additional mitigation, Elastic Cloud customers are advised to upgrade to 8.11.1.

Users on affected versions of Kibana in self-managed, ECE, or ECK, should upgrade to Kibana 8.11.1.

Affected logs should be reviewed for any potential sensitive data and if deemed necessary, follow up actions such as purging sensitive data from logs and rotating any potentially exposed credentials should be performed.

Please see ESA-2023-25 for more details.

ESA-2023-19CVE-2023-48632023-10-10

On Sept 11, 2023, Google Chrome announced CVE-2023-4863, described as “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page”. Kibana includes a bundled version of headless Chromium that is only used for Kibana’s reporting capabilities and which is affected by this vulnerability. An exploit for Kibana has not been identified, however as a resolution, the bundled version of Chromium is updated in this release. 

This issue affects on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled(only CentOS, Debian, RHEL).

This issue affects Kibana instances running using the Kibana Docker image when the Chromium sandbox is explicitly disabled as suggested by the documentation. Further exploitation such as container escape is prevented by seccomp-bpf.

This issue affects Kibana instances running on Elastic Cloud but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud Enterprise (ECE) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape is prevented by seccomp-bpf and AppArmor profiles.

This issue affects Kibana instances running on Elastic Cloud on Kubernetes (ECK) but the RCE is limited within the Kibana Docker container. Further exploitation such as container escape can be prevented by seccomp-bpf when configured and supported (Kubernetes v1.19 and later).

Users should upgrade to version 8.10.3 or 7.17.14.

If you are unable to upgrade, you can disable Kibana reporting functionality completely in the kibana.yml file with the following setting: 

 xpack.reporting.enabled: false 

ESA-2023-17CVE-2023-314222023-09-18An issue was discovered by Elastic whereby sensitive information is recorded in Kibana logs in the event of an error. The issue impacts only Kibana version 8.10.0 when logging in the JSON layout or when the pattern layout is configured to log the %meta pattern. Elastic has released Kibana 8.10.1 which resolves this issue. The error object recorded in the log contains request information, which can include sensitive data, such as authentication credentials, cookies, authorization headers, query params, request paths, and other metadata. Some examples of sensitive data which can be included in the logs are account credentials for kibana_system, kibana-metricbeat, or Kibana end-users.The issue is resolved in Kibana 8.10.1. Version 8.10.0 has been removed from our download sites.
Kibana instances of Elastic Cloud Customers on 8.10.0 have been patched to resolve this issue.
Users who are running Kibana 8.10.0 self-managed, including ECE or ECK deployments, should upgrade immediately to Kibana 8.10.1.
Please see ESA-2023-17 for more details.

ESA-2023-08CVE-2023-314152023-05-02Kibana version 8.7.0 contains an arbitrary code execution flaw. An attacker with All privileges to the Uptime/Synthetics feature could send a request that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process. Upgrade to Kibana version 8.7.1
ESA-2023-07CVE-2023-314142023-05-02Kibana contains an arbitrary code execution flaw. An attacker with write access to Kibana yaml or env configuration could add a specific payload that will attempt to execute JavaScript code. This could lead to the attacker executing arbitrary commands on the host system with permissions of the Kibana process.Users are suggested to upgrade to 8.7.1
ESA-2023-06CVE-2023-264872023-05-02A flaw (CVE-2023-26487) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana.The issue is resolved in versions 7.17.10 and 8.7.0
ESA-2023-05CVE-2023-264862023-05-02A flaw (CVE-2023-26486) was discovered in one of Kibana’s dependencies, which could allow arbitrary JavaScript to be executed in a victim’s browser via a maliciously crafted custom visualization in Kibana.The issue is resolved in versions 7.17.10 and 8.7.0
ESA-2023-03CVE-2022-387792023-02-13An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL.The issue is resolved in versions 7.17.9 and 8.6.2
ESA-2023-02CVE-2022-387782023-02-03A flaw (CVE-2022-38900) was discovered in one of Kibana's third party dependencies that could allow an authenticated user to perform a request that crashes the Kibana server process. Users are suggested to upgrade to 7.17.9 and 8.6
ESA-2022-12CVE-2022-13642022-12-09A type confusion vulnerability was discovered in the headless Chromium browser that Kibana relies on for its reporting capabilities.

This issue affects only on-premises Kibana installations on host Operating Systems where Chromium sandbox is disabled (only CentOS, Debian).

This issue does not affect Elastic Cloud, as the Chromium sandbox is enabled by default and cannot be disabled.

Affected Versions: Kibana versions 7.0.0 through 7.17.7 and 8.0.0 through 8.4.3

Severity Rating: CVSSv3.1: 8.8 (High) AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The issue is fixed in Kibana versions 8.5.0 and 7.17.8.

If you are unable to upgrade, you can:
Disable Kibana reporting functionality completely with xpack.reporting.enabled: false in your kibana.yml file
ESA-2022-08

CVE-2022-23713

2022-06-30

A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser.The issue is fixed in versions 8.3.0 and 7.17.5.

If you are unable to upgrade, you can select to disable Vega visualizations, see Solutions and Mitigations.
ESA-2022-05CVE-2022-237112022-04-20A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information.
The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring.
The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source.
Affected Versions: 
The exposure of Elastic Stack monitoring information affects Versions 7.8.0 through 7.17.2 & 8.0.0 through 8.1.2.
The exposure of other application-internal information affects Versions 7.2.1 through 7.17.2 & 8.0.0 through 8.1.2.
Elastic Cloud services deployments are not affected.
Severity Rating:
Stack Monitoring data exposure: High (8.2) CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/
Other application-internal information: Low (0.0) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:N



The issue is resolved in versions 7.17.3 and 8.1.3.



For Stack Monitoring users that cannot upgrade to the fixed versions, we recommend removing the monitoring settings, monitoring.ui.elasticsearch.*, from the configuration of the remote Kibana instance until the remote Kibana instance is upgraded. These users can still safely access the Stack Monitoring UI through the Kibana instance that is directly attached to the monitoring Elasticsearch cluster.

ESA-2022-04CVE-2022-237102022-02-28A cross-site-scripting (XSS) vulnerability was discovered in the Data Preview Pane (previously known as Index Pattern Preview Pane) which could allow arbitrary JavaScript to be executed in a victim’s browser.



Affected Versions:  For self-managed deployments the issue impacts versions 7.15.0, 7.15.1, and 7.15.2. For Elastic Cloud Services the issue impacts versions 7.15.0 through 7.17.0, and 8.0.0.
CVSSv3: 5.4 (Medium) - AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

This issue is fixed in 7.17.1, 8.0.1, and 8.1.0.


As mitigation, users on affected versions can avoid granting users All access to the Index Pattern Management and Saved Object Management features if they should not be able to otherwise create/modify index patterns. Note: index patterns are called data views starting in 8.0.

ESA-2022-03CVE-2022-237092022-02-28A flaw was discovered in Kibana in which users with Read access to the Uptime feature could modify alerting rules. A user with this privilege would be able to create new alerting rules or overwrite existing ones. However, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. This effectively means that Read users could disable existing alerting rules.



Affected Versions: Versions 7.7.0 through 7.17.0, and 8.0.0
CVSSv3: 4.3 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

The issue is fixed in 7.17.1, 8.01, and 8.1.0.



As mitigation, users on affected versions can avoid granting users Read access to the Uptime feature if they should not be able to otherwise create/modify alerts, and avoid using the built-in Viewer role.

ESA-2022-01CVE-2022-237072022-02-03An XSS vulnerability was found in Kibana index patterns. Using this vulnerability, an authenticated user with permissions to create index patterns can inject malicious javascript into the index pattern which could execute against other users.



Affected Versions: Versions 7.5.1 through 7.16.3
CVSSv3: 8.1 (High)- AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Users on affected versions should upgrade to the latest version of Kibana.



ESA-2021-27CVE-2021-379392021-11-10It was discovered that Kibana’s JIRA connector & IBM Resilient connector could be used to return HTTP response data on internal hosts, which may be intentionally hidden from public view. Using this vulnerability, a malicious user with the ability to create connectors, could utilize these connectors to view limited HTTP response data on hosts accessible to the cluster.



Affected Versions: Versions 7.8.0 through 7.15.1
CVSSv3: 4.1 (Medium) - AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Users should upgrade to Kibana version 7.15.2
ESA-2021-26CVE-2021-379382021-11-10It was discovered that on Windows operating systems specifically, Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension. Thanks to Dominic Couture for finding this vulnerability.



Affected Versions: 7.9.0 through 7.15.1
CVSSv3: 3.1 (Low) - AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Users should upgrade to Kibana version 7.15.2

ESA-2021-21

CVE-2021-22150

2021-09-01

It was discovered that a user with fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the kibana server.

Users should upgrade to Kibana version 7.14.1

ESA-2021-22

CVE-2021-22151

2021-09-01

It was discovered that Kibana was not validating a user supplied path, which would load .pbf files. Because of this, a malicious user could arbitrarily traverse the Kibana host to load internal files ending in the .pbf extension.

Thanks to Luat Nguyen of CyberJutsu for reporting this issue.

Users should upgrade to Kibana version 7.14.1

ESA-2021-23

CVE-2021-37936

2021-09-01

It was discovered that kibana was not sanitizing document fields containing html snippets. Using this vulnerability, an attacker with the ability to write documents to an elasticsearch index could inject HTML. When the Discover app highlighted a search term containing the HTML, it would be rendered for the user.

Users can set “doc_table:highlight” to “false” in the Kibana Advanced Settings. Users who do not wish to do this, and are currently on version 7.14.0 should upgrade to version 7.14.1.

ESA-2021-24

CVE-2021-3672CVE-2021-22931CVE-2021-22940CVE-2021-22939

2021-09-01

Node.js version 14.17.3 is affected by several security vulnerabilities: CVE-2021-3672, CVE-2021-22931, CVE-2021-22940, and CVE-2021-22939. We do not believe an attacker can exploit these against Kibana, but we are upgrading Node.js out of an abundance of caution. Kibana 7.14.1 upgrades Node.js to version 14.17.5 to resolve these issues.

Users should upgrade to Kibana version 7.14.1

ESA-2021-12CVE-2021-221412021-05-25An open redirect flaw was found in Kibana versions before 7.13.0 and 6.8.16. If a logged in user visits a maliciously crafted URL, it could result in Kibana redirecting the user to an arbitrary website.Users should update their version of Kibana to 7.13.0 or 6.8.16
ESA-2021-13CVE-2021-221422021-05-25Kibana contains an embedded version of the Chromium browser that the Reporting feature uses to generate the downloadable reports. If a user with permissions to generate reports is able to render arbitrary HTML with this browser, they may be able to leverage known Chromium vulnerabilities to conduct further attacks. Kibana contains a number of protections to prevent this browser from rendering arbitrary content.Users should update their version of Kibana to 7.13.0
ESA-2021-10CVE-2021-221392021-04-27A denial of service vulnerability was found in the Kibana webhook actions due to a lack of timeout or a limit on the request size. An attacker with permissions to create webhook actions could drain the Kibana host connection pool, making Kibana unavailable for all other users.



Thank you to Dominic Couture for this finding.



Customers should upgrade to version 7.12.1 or above
ESA-2021-07CVE-2021-221362021-03-23A flaw in Kibana versions before 7.12.0 and 6.8.15 session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background polling activities unintentionally extending authenticated users sessions, preventing a user session from timing out.Users should update their version of Kibana to 7.12.0 or 6.8.15.
ESA-2021-04CVE-2020-262962021-02-10The Kibana “Vega” visualization type is susceptible to both stored and reflected XSS via a vulnerable version of the Vega library. Users who can create these visualizations or craft a vulnerable URL describing this visualization can execute arbitrary JavaScript in the victim’s browser.Users should upgrade to Kibana version 7.10.2 or 6.8.14. Users unable to upgrade can disable Vega visualizations by setting ‘vega.enabled: false’ in the kibana.yml file.
ESA-2020-10CVE-2020-70172020-07-27The region map visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of Kibana users who view the region map visualization.Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.



Users running version 6.7.0 or later have a reduced risk from this XSS vulnerability when Kibana is configured to use the [default Content Security Policy](https://www.elastic.co/guide/en/kibana/current/settings.html) with a modern browser. While the CSP prevents XSS, it does not mitigate the underlying HTML injection vulnerability.



ESA-2020-09CVE-2020-70162020-07-27Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.Users should upgrade to Kibana version 7.8.1 or 6.8.11. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2020-08CVE-2020-70152020-06-03The TSVB visualization in Kibana contains a stored XSS flaw. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions, on behalf of Kibana users who edit the TSVB visualization.Users should upgrade to Kibana version 7.7.1 or 6.8.10. Users unable to upgrade can disable TSVB by setting "metrics.enabled: false" in the kibana.yml file.
ESA-2020-06CVE-2020-70132020-06-03Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB . An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable TSVB by setting "metrics.enabled: false" in the kibana.yml file.



This flaw is mitigated by default in all Elastic Cloud Kibana versions.

ESA-2020-05CVE-2020-70122020-06-03Kibana versions between 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code. This could possibly lead to an attacker executing code with the permissions of the Kibana process on the host system.
Users should upgrade to Kibana version 7.7.0 or 6.8.9. Users unable to upgrade can disable the Upgrade Assistant using the instructions below.



Upgrade Assistant can be disabled by setting the following options in Kibana:
Kibana versions 6.7.0 and 6.7.1 can set ‘upgrade_assistant.enabled: false’ in the kibana.yml file
Kibana versions starting with 6.7.2 can set ‘xpack.upgrade_assistant.enabled: false’ in the kibana.yml file



This flaw is mitigated by default in all Elastic Cloud Kibana versions.

ESA-2020-01CVE-2019-15604CVE-2019-15606CVE-2019-156052020-03-04The version of Node.js shipped in all versions of Kibana prior to 7.6.1 and 6.8.7 contain three security flaws.



CVE-2019-15604 describes a Denial of Service (DoS) flaw in the TLS handling code of Node.js. Successful exploitation of this flaw could result in Kibana crashing.



CVE-2019-15606 and CVE-2019-15605 describe flaws in how Node.js handles malformed HTTP headers. These malformed headers could result in a HTTP request smuggling attack when Kibana is running behind a proxy vulnerable to HTTP request smuggling attacks.



This update upgrades Node.js to version 10.19.0, which is not vulnerable to these issues.



Administrators running Kibana in an environment with untrusted users should upgrade to version 7.6.1 or 6.8.7. There is no workaround for the DoS issue. It may be possible to mitigate the HTTP request smuggling issues on the proxy server. Please consult your proxy vendor for instructions on how to mitigate HTTP request smuggling attacks.
ESA-2019-17CVE-2019-76212019-12-18Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another Kibana user views that visualization or a dashboard containing the visualization it could execute JavaScript in the victim’s browser.



Please note that Kibana has Content Security Policy (CSP) enabled by default since versions 6.7.0 and 7.0.0. Most browsers supported by Kibana honor the CSP settings. CSP prevents attackers from executing arbitrary JavaScript using this flaw, however an attacker can still inject arbitrary HTML into the page. The ‘csp.strict: true’ can be set in kibana.yml to disallow browsers that do not enforce CSP rules.



Thanks to Eran Vaknin and Rotem Reiss, Security Researchers, for reporting this issue.



Users should upgrade to Elasticsearch version 7.5.1 or 6.8.6. Users who are unable to upgrade can set ‘xpack.maps.enabled: false’, ‘region_map.enabled: false’, and ‘tile_map.enabled: false’ in kibana.yml to disable map visualizations.
ESA-2019-12CVE-2019-76182019-10-01A local file disclosure flaw was found in Elastic Code versions 7.3.0, 7.3.1, and 7.3.2. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.



The Code application in Kibana is a beta feature and disabled by default at this time. If you do not have ‘xpack.code.ui.enabled: true’ in your kibana.yml configuration file you are not affected by this issue.



Users should upgrade to Elastic Code 7.4.0



Users unable to upgrade that have enabled the Code application in Kibana can disable it by setting ‘xpack.code.ui.enabled: false’ in kibana.yml.



ESA-2019-10CVE-2019-107442019-07-30A prototype pollution flaw exists in lodash, a component used by KIbana. An attacker with access to Kibana may be able to use this lodash flaw to unexpectedly modify internal Kibana data. Prototype pollution can be leveraged to execute a cross-site-scripting (XSS), denial of service (DoS), or Remote Code Execution attack against Kibana. No exploitable vectors in Kibana have been identified at the time of publishing.Users should upgrade to Kibana version 7.2.1 or 6.8.2. There is no workaround for this issue.
ESA-2019-09CVE-2019-76162019-07-30Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the  timelion:graphite.url configuration option to an arbitrary URL. This could possibly lead to an attacker accessing external URL resources as the Kibana process on the host system.



Kibana now includes a timelion.graphiteUrls option that allows administrator to whitelist valid graphite URLs in the kibana.yml file.



Thanks to Braden Hollembaek of Salesforce for reporting this issue.



Users should upgrade to Elasticsearch version 7.2.1 or 6.8.2. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2019-01CVE-2019-76082019-02-19Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.6.1 or 5.6.15
ESA-2019-02CVE-2019-76092019-02-19Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.Users should upgrade to Kibana version 6.6.1 or 5.6.15. Users unable to upgrade can disable Timelion by setting timelion.enabled to false in the kibana.yml configuration file.
ESA-2019-03CVE-2019-76102019-02-19Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.Users should upgrade to Kibana version 6.6.1 or 5.6.15. User unable to upgrade can set the xpack.security.audit.enabled setting to false in the kibana.yml configuration file if it is currently set to true. The setting defaults to false if not specified in the configuration file.
ESA-2018-17CVE-2018-172452018-11-06Yuri Astrakhan and Nick Peihl of Elastic discovered Kibana versions 4.0 to 4.6, 5.0 to 5.6.12, and 6.0 to 6.4.2 contain an error in the way authorization credentials are used when generating PDF reports. If a report requests external resources plaintext credentials are included in the HTTP request that could be recovered by an external resource provider.Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13
Users unable to upgrade can disable the Reporting feature in Kibana by setting xpack.reporting.enabled to false in the kibana.yml file. This does not prevent previously leaked credentials from being reused.
For more information about mitigating from this flaw please see our .
ESA-2018-18CVE-2018-172462018-11-06Nethanel Coppenhagen of CyberArk Labs discovered Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.Users should upgrade to Elastic Stack version 6.4.3 or 5.6.13
Users unable to upgrade can disable the Kibana Console plugin. The Console plugin can be disabled by setting “console.enabled: false” in the kibana.yml file.
ESA-2018-14CVE-2018-38302018-09-18Kibana versions 5.3.0 to 6.4.1 had a cross-site scripting (XSS) vulnerability via the source field formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.4.1 or 5.6.12. There are no known workarounds for this issue.
ESA-2018-08CVE-2018-38242018-04-17X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-06CVE-2018-38232018-04-17X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.Users should upgrade to Elasticsearch version 6.2.4 or 5.6.9
ESA-2018-05CVE-2018-38212018-01-30Kibana versions after 5.1.1 and before 5.6.7 and 6.1.3 had a cross-site scripting (XSS) vulnerability in the tag cloud visualization that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-04CVE-2018-38202018-01-30Kibana versions after 6.1.0 and before 6.1.3 had a cross-site scripting (XSS) vulnerability in labs visualizations that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users of affected versions should upgrade to Kibana version 6.1.3. There are no known workarounds for this issue.
ESA-2018-03CVE-2018-38192018-01-30The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack security enabled, Kibana versions before 6.1.3 and 5.6.7 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.Users should upgrade to Kibana version 6.1.3 or 5.6.7. There are no known workarounds for this issue.
ESA-2018-02CVE-2018-38182018-01-16Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting (XSS) vulnerability via the colored fields formatter that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.1.2 or 5.6.6. There are no known workarounds for this issue.
ESA-2017-24CVE-2017-10010022017-12-19Kibana version 6.1.0 had an arbitrary code execution vulnerability in the Math.js package which is used by math aggregations in Time Series Visual Builder. Kibana users could construct a math aggregation capable of executing arbitrary code on the Kibana server.Anyone running Kibana 6.1.0 should upgrade to Kibana version 6.1.1. If you are unable to upgrade, you may set "metrics.enabled: false" in the kibana.yml file to disable the Time Series Visual Builder feature.
ESA-2017-23CVE-2017-114822017-12-06The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pack installed, Kibana versions before 6.0.1 and 5.6.5 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website.Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-22CVE-2017-114812017-12-06Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (XSS) vulnerability via URL fields that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 6.0.1 or 5.6.5. There are no known workarounds for this issue.
ESA-2017-20CVE-2017-114792017-09-18Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 5.6.1. There are no known workarounds for this issue.
ESA-2017-17CVE-2017-84462017-08-17The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.Reporting users should upgrade to X-Pack version 5.5.2 or Reporting Plugin version 2.4.6. A mitigation for this issue is to remove the reporting_user role from any untrusted users of your Elastic Stack.
ESA-2017-16
2017-08-17Kibana versions prior to 5.5.2 had a cross-site scripting (XSS) vulnerability in the markdown parser that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.Users should upgrade to Kibana version 5.5.2 or 4.6.5.
ESA-2017-14CVE-2017-114992017-07-25The version of Node.js shipped in all versions of Kibana prior to 5.5.1 contains a Denial of Service flaw in it's HashTable random seed. This flaw could allow a remote attacker to consume resources within Node.js preventing Kibana from servicing requests.Administrators running Kibana in an environment with untrusted users should upgrade to version 5.5.1 or 4.6.5. There is no workaround for this issue, the flaw can be triggered by an unauthenticated anonymous user.
ESA-2017-11CVE-2017-84432017-06-27In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs.We believe the severity of this issue is low since the issue can be triggered only by a crafted URL, and it will be very difficult for an external attacker to acquire credentials even with the vulnerability.  Kibana users concerned with this issue should upgrade to version 5.4.3 or later. 
ESA-2017-08CVE-2017-84402017-06-01Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.  Thanks to Thomas Gøytil for reporting this issue.All users of Kibana 5.3 or 5.4 should upgrade to versions 5.3.3 and 5.4.1.
ESA-2017-07CVE-2017-84392017-06-01Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users.All Kibana 5.4.0 users should upgrade to version 5.4.1. If upgrading is impossible, the time series visual builder can be disabled by setting metrics.enabled: false in the kibana.yml. Note that this will trigger a re-optimization when you restart Kibana.
ESA-2017-04CVE-2017-84512017-04-20With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. Shield versions for Kibana prior to 2.4.5 are also affected.Users should upgrade to Kibana version 5.3.1 as soon as possible. Users on Kibana 4.6 should update the Kibana Shield plugin to 2.4.5.
ESA-2017-02CVE-2017-84522017-02-14When Kibana is configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. Requests that are canceled before data is sent can also crash the process.Users of previous versions Kibana 5 that have SSL configured should upgrade to 5.2.1 immediately. Terminating SSL at a reverse proxy or load balancer will act as a workaround. Kibana version 4 is not affected.
ESA-2016-10CVE-2016-103642016-11-29With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, so any authenticated user could make requests to those services regardless of their own permissions.Users of Kibana and X-Pack versions 5.0.0 and 5.0.1 that have user-specific permissions for advanced settings or short URLs should upgrade to 5.0.2 as soon as possible.
ESA-2016-09CVE-2016-103652016-11-15Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. Thanks to the GE Digital Security Team for finding the issue.Users should upgrade to 5.0.1 or 4.6.3 as soon as possible.
ESA-2016-07CVE-2016-103662016-10-24Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.Users of Kibana 4.3 or greater should upgrade to Kibana 4.6.2 immediately.
ESA-2016-05CVE-2016-10002182016-09-06Version 2.4.0 of the Reporting plugin is vulnerable to a CSRF vulnerability that could allow an attacker to generate superfluous reports whenever an authenticated Kibana user navigates to a specially-crafted page.Users of the Reporting plugin should upgrade Kibana to 4.6.1 and Reporting to 2.4.1.
ESA-2016-04CVE-2016-10002192016-08-03When a custom output is configured for logging in versions of Kibana before 4.5.4 and 4.1.11, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.Users should upgrade to 4.5.4 or 4.1.11.
ESA-2016-03CVE-2016-10002202016-08-03Versions of Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers.Users should upgrade to 4.5.4 or 4.1.11.
ESA-2015-11CVE-2015-90562015-12-17Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack.Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-10CVE-2015-81312015-11-17Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a CSRF attack.Users should upgrade to 4.1.3 or 4.2.1.
ESA-2015-03CVE-2015-40932015-06-29Kibana versions 4.0.0, 4.0.1 and 4.0.2 are vulnerable to a cross-site scripting attack.Users should upgrade to 4.0.3.

Beats

ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2023-30CVE-2023-49922

CVE-2023-6687
2023-12-12An issue was discovered by Elastic whereby Beats and Elastic Agent would log a raw event in its own logs at the `WARN` or `ERROR` level if ingesting that event to Elasticsearch failed with any `4xx HTTP` status code except `409` or `429`. Depending on the nature of the event that Beats or Elastic Agent attempted to ingest, this could lead to the insertion of sensitive or private information in the Beats or Elastic Agent logs. Elastic has released 8.11.3 and 7.17.16 that prevents this issue by limiting these types of logs to `DEBUG` level logging, which is disabled by default.The issue is resolved in version 7.17.16 and 8.11.3.

ESA-2023-16CVE-2023-314212023-09-19It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to connect to an IP address (instead of a hostname) it does not validate the server certificate's IP SAN values against that IP address and certificate validation fails, and therefore the connection is not blocked as expected.The issue is resolved in version 8.10.1.
ESA-2023-04CVE-2023-314132023-05-02A flaw was discovered in the Filebeat httpjson input that allows the http request Authorization or Proxy-Authorization header contents to be leaked in the logs when debug logging is enabled.The issue is resolved in versions 8.7.0, and 7.17.10
ESA-2020-16
CVE-2020-283622020-12-09
A denial of service flaw when parsing malformed TLS public keys was discovered in Go, the language used to implement Beats. If Beats is configured to listen for Syslog over TLS, or if Beats is making outbound connections over HTTPS, a remote attacker could cause the Beats process to crash. The attacker must be able to present a specially malformed TLS public key to the Beat.
Inbound HTTPS connections to Beats are not affected by this issue, the Beats process is able to recover from receiving a malformed key.

Users should upgrade to Beats version 7.10.1.

Elastic is unable to upgrade Beats version 6.8 due to the version of Go used. We consider this flaw to be low enough severity that a possible fix poses a greater risk than the issue itself. Users unable to upgrade to version 7.10.1 can mitigate this vulnerability by using host based network controls such as a firewall or proxy.
ESA-2019-15
CVE-2019-175962019-12-02
A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement Beats. If Metricbeat or Filebeat versions before 7.5.0 are configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause the Beat to stop processing events.
Users should upgrade to Metricbeat and Filebeat 7.5.0.

We are unable to upgrade Metricbeat and Filebeat 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.

The Filebeat syslog input and Metricbeat graphite and httpd modules could be vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.

ESA-2019-06
CVE-2019-76132019-03-19
Nate Guagenti (@neu5ron), solutions engineer with Perched Inc. reported an issue in Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
Users should upgrade to Winlogbeat version 6.6.2 or 5.6.16
ESA-2017-21
CVE-2017-114802017-01-07
Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.
Users should upgrade to Packetbeat version 5.6.4. This issue can be avoided by disabling the PostgreSQL protocol.

Elastic Cloud Enterprise

ESA IDCVEDate DisclosedVulnerability SummaryRemediation Summary
ESA-2023-09CVE-2023-13702023-07-18

A denial of service vulnerability was discovered in ECE that could lead to  the ECE Admin API server becoming unavailable if a maliciously crafted JWT is supplied. This is due to the use of a transitive dependency json-smart which parses nested arrays in an unsafe way. Deployments that run on ECE are unaffected.

The dependency has been updated which resolves the issue in versions 2.13.3 and 3.3.0

ESA-2022-11CVE-2022-23716

2022-09-27

A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster.

Severity: CVSSv3.1: 8.7 (High) - AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Users should upgrade to Elastic Cloud Enterprise 3.1.1 or later. Note that by default, only users with a Platform admin role have access to the Logging and Monitoring cluster.

ESA-2022-10

CVE-2022-23715

2022-08-24

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster.

Severity: CVSSv3.1: 8.5 (High) - AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Users should upgrade to Elastic Cloud Enterprise 3.4.0. Note that by default, only users with a Platform admin role have access to the Logging and Monitoring cluster and the audit logs.

ESA-2021-17

CVE-2021-22146

2021-07-20

Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Affected users should apply the stack pack. There is no known workaround.

ESA-2018-09CVE-2018-38252018-06-13In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.New deployments should target 1.1.4 or greater release. It is recommended that existing deployments perform an upgrade. Additionally ECE deployments that are susceptible to remote code execution are recommended to rotate their existing credentials using a cleanup script. Please find instructions and more information in the 
ESA-2018-12CVE-2018-38282018-06-13Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure credentials are properly redacted under error conditions.
ESA-2018-13CVE-2018-38292018-06-13In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.All users of Elastic Cloud Enterprise should upgrade to version 1.1.4. This ensure role tokens are properly revoked for previous deleted runner roles.
ESA-2017-13CVE-2017-84442017-09-12The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.All Elastic Cloud Enterprise users should upgrade to version 1.0.2. There is no known workaround for this issue.

Elastic Cloud on Kubernetes

ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2023-11CVE-2023-314162023-09-26Secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0.

This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment.
Users should upgrade to Elastic Cloud on Kubernetes (ECK) version 2.8 or higher.
ESA-2020-03
CVE-2020-70102020-04-28
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.
All Elastic Cloud on Kubernetes users should upgrade to version 1.1.0. Instructions for applying this update can be found . There is no workaround for this issue.

This issue affects the default auto-generated credentials for a cluster. Clusters where the auto-generated Elasticsearch credentials have been changed do not need to take any actions.

Once ECK is upgraded to version 1.1.0 the auto-generated credentials should be rotated using the instructions found .

APM

ESA ID
CVE
Date Disclosed
Vulnerability Summary
Remediation Summary
ESA-2024-03CVE-2024-234482024-02-06

An issue was discovered whereby APM Server could log at ERROR level, a response from Elasticsearch indicating that indexing the document failed and that response would contain parts of the original document. Depending on the nature of the document that the APM Server attempted to ingest, this could lead to the insertion of sensitive or private information in the APM Server logs.

Affected Versions:

APM Server versions before 8.12.1

The issue is resolved in version 8.12.1.

Reviewing Logs for Sensitive Information:
Users can search for instances of these documents and determine whether any sensitive information has been leaked in APM Server logs by searching for the following string Preview of field's value:

ESA-2021-30CVE-2021-379422021-12-10A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious plugin to an application running the APM Java agent. By using this vulnerability, an attacker could execute code at a potentially higher level of permissions than their user typically has access to.

Affected Versions: Versions 1.18.0 through 1.27.0
CVSSv3: 7.0 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


Update to 1.27.1 or newer or use the unaffected -javaagent-based installation method 
ESA-2021-29CVE-2021-379412021-11-18A local privilege escalation issue was found with the APM Java agent, where a user on the system could attach a malicious file to an application running with the APM Java agent. Using this vector, a malicious or compromised user account could use the agent to run commands at a higher level of permissions than they possess. 
This vulnerability affects users that have set up the agent via the attacher cli, the attach API, as well as users that have enabled the profiling_inferred_spans_enabled option.

Affected Versions: Versions 1.10.0 through 1.26.0
CVSSv3: 7.0 (High) - AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


Update to 1.27.0 or newer or use the unaffected -javaagent-based installation method and disable the profiling_inferred_spans_enabled option.

ESA-2021-14
CVE-2021-221432021-06-01
The Elastic APM .NET Agent can leak sensitive HTTP header information when logging the details during an application error. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application error it is possible the headers will not be sanitized before being sent.
Anyone using Elastic APM .NET Agent should upgrade to version 1.10.0
ESA-2021-02
CVE-2021-221332021-02-04
The Elastic APM agent for Go can leak sensitive HTTP header information when logging the details during an application panic. Normally, the APM agent will sanitize sensitive HTTP header details before sending the information to the APM server. During an application panic it is possible the headers will not be sanitized before being sent.

Elastic thanks Rob Liebowitz, Senior Software Engineer at Morning Consult for reporting this issue.

Anyone using APM Agent for Go should upgrade to version 1.11.0
ESA-2019-16
CVE-2019-175962019-12-02
A denial of service flaw when parsing malformed DSA public keys was discovered in Go, the language used to implement APM Server. If APM Server versions before 7.5.0 is configured to accept incoming TLS connections with client authentication enabled, a remote attacker could cause APM Server to stop processing events.
Users should upgrade to APM Server 7.5.0.

We are unable to upgrade APM server version 6.8 due to the version of Go used. It is possible to mitigate this flaw if users are unable to upgrade to version 7.5.0.

The APM server is vulnerable to this if configured to accept incoming TLS connections with client authentication enabled. Instances configured in this manner and unable to upgrade to version 7.5.0 should use firewall rules to prevent malicious access. Alternatively a TLS termination proxy such as stunnel could be configured to prevent direct incoming TLS connections.

ESA-2019-11
CVE-2019-76172019-08-21
When the Elastic APM agent for Python is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of their choosing.

This flaw only affects the APM agent for Python when it is run as a CGI script. If you are not using the agent as a CGI script this flaw does not affect you.

Users running the Elastic APM agent for Python as a CGI script should upgrade to Elastic APM agent for Python version 5.1.0 or later.
ESA-2019-08
CVE-2019-76152019-07-30
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the ‘server_ca_cert’ setting, the Ruby agent would not properly verify the certificate returned by the APM server. This could result in a man in the middle style attack against the Ruby agent.
Users should upgrade to Elastic APM agent for Ruby version 2.9.0 or later.

Enterprise Search

ESA IDCVEDate DisclosedVulnerability SummaryRemediation Summary
ESA-2023-31CVE-2023-499232023-12-12An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents at INFO log level. Depending on the contents of such documents, this could lead to the insertion of sensitive or private information in the App Search logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by changing the log level at which these are logged to DEBUG, which is disabled by default.

Affected Versions: Enterprise Search versions on or after 7.0.0 and before 7.17.16. Enterprise Search versions on or after 8.0.0 and before 8.11.2. Affected Configurations: Only users that directly utilize the Documents API are affected by this issue, if the documents that they are ingesting via this API contain sensitive or private information.

Severity: CVSSv3: 6.8(Medium) - AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

The issue is resolved in versions 7.17.16 and versions 8.11.2. Customers on versions before 7.17.16 and 8.11.2 that cannot upgrade can prohibit document contents from being logged by setting log_level to WARN or higher in their Enterprise Search configuration. Refer to our documentation for applying this setting on Elastic Cloud, ECE or self managed clusters.
ESA-2021-28CVE-2021-379402021-12-07An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible.



Affected Versions: Workplace Search versions through 7.15.2
CVSSv3: 6.8 (Medium) - AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Anyone using the GHES integration for Workplace Search should upgrade to 7.16.0



ESA-2021-20

CVE-2021-22149

2021-08-03

A flaw in Elastic App Search was discovered where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.

Users should upgrade to version 7.14.0

ESA-2021-19

CVE-2021-22148

2021-08-03

A flaw in Elastic App Search was discovered where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.

Users should upgrade to version 7.14.0

ESA-2021-11CVE-2021-221402021-04-27An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.



Thank you to Dominic Couture for this finding

Customers that are utilizing the App Search web crawler should upgrade to 7.12.1 or above
ESA-2020-14CVE-2016-110862020-10-22A TLS certificate validation flaw in the Atlassian connector was found in the oauth-ruby library used by Elastic Enterprise Search versions before 7.9.3.



When configuring Enterprise Search to connect to a Confluence Server, Jira Server, Confluence Cloud, or Jira Cloud the TLS certificate will not be properly verified by the oauth-ruby library. This could result in a man in the middle style attack against Enterprise Search connecting to an Atlassian service.



Anyone using Atlassian connectors should upgrade to Enterprise Search version 7.9.3. There is no known workaround for this flaw.
ESA-2020-11CVE-2020-70182020-08-18Elastic Enterprise Search versions before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ‘developer’ role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.



Thanks to Matt Peel of Silverstripe for reporting this vulnerability.

Users should upgrade to Enterprise Search version 7.9.0. Users unable to upgrade can remove the developer role from App Search users and reset their existing API keys.
ESA-2020-04CVE-2020-70112020-05-13Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victim’s web browser.
Users should upgrade to Elastic Enterprise Search version 7.7.0. There is no known workaround for this issue.



Elastic Security for Endpoint

ESA ID

CVE

Date Disclosed

Vulnerability Summary

Remediation Summary

ESA-2023-21CVE-2023-466682023-10-17If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to debug, and when Elastic Agent is simultaneously configured to collect and send those logs to Elasticsearch, then Elastic Agent API keys can be viewed in Elasticsearch in plaintext.

These API keys could be used to write arbitrary data and read Elastic Endpoint user artifacts.

Solutions & Mitigations

ESA-2022-09

CVE-2022-23714

2022-06-30

A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.

Solutions & Mitigations

ESA-2022-13CVE-2022-378842023-01-23An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.Solutions & Mitigations
ESA-2022-14CVE-2022-378852023-01-23An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.Solutions & Mitigations
ESA-2023-01CVE-2022-387772023-02-03An issue was discovered in the quarantine feature of Elastic Endpoint Security and Elastic Endgame for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.Solutions & Mitigations

Elastic Connectors

ESA ID

CVE

Date Disclosed

Vulnerability Summary

Remediation Summary

ESA-2024-02CVE-2024-234472024-02-06

An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read.

Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.

The issue is resolved in Elastic Network Drive Connector v8.12.1 and above.

ESA-2023-18

CVE-2023-46666

2023-10-10

An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. 

If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.

The issue is resolved in Elastic Sharepoint Online Python Connector v8.10.3.0 and above

Fleet Server

ESA ID

CVE

Date Disclosed

Vulnerability Summary

Remediation Summary

ESA-2023-20

CVE-2023-46667

2023-10-10

An issue was discovered in Fleet Server >= v8.10.0 and < v8.10.3 where Agent enrollment tokens are being inserted into the Fleet Server’s log file in plain text. 

These enrollment tokens could allow someone to enroll an agent into an agent policy, and potentially use that to retrieve other secrets in the policy including for Elasticsearch and third-party services. Alternatively a threat actor could potentially enroll agents to the clusters and send arbitrary events to Elasticsearch.

If an affected version is being utilized then upgrade to Fleet Server v8.10.3 or above. If there are ephemeral containers configured to use a token, ensure they are replaced before deleting and revoking the old token. Delete the existing enrollment tokens and create new ones.