Filtered by vendor Elastic
Subscribe
Total
185 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-52980 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | N/A | 6.5 MEDIUM |
| A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them. | |||||
| CVE-2024-52974 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 6.5 MEDIUM |
| An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. | |||||
| CVE-2024-52981 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | N/A | 4.9 MEDIUM |
| An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. | |||||
| CVE-2024-12556 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 8.7 HIGH |
| Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. | |||||
| CVE-2025-25015 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 9.9 CRITICAL |
| Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors | |||||
| CVE-2024-43708 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. | |||||
| CVE-2024-52972 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. | |||||
| CVE-2024-43707 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 7.7 HIGH |
| An issue was identified in Kibana where a user without access to Fleet can view Elastic Agent policies that could contain sensitive information. The nature of the sensitive information depends on the integrations enabled for the Elastic Agent and their respective versions. | |||||
| CVE-2024-43709 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via a specially crafted query using an SQL function. | |||||
| CVE-2024-52973 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 6.5 MEDIUM |
| An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/log_entries/summary. This can be carried out by users with read access to the Observability-Logs feature in Kibana. | |||||
| CVE-2024-12539 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | N/A | 6.5 MEDIUM |
| An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. | |||||
| CVE-2024-43710 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 4.3 MEDIUM |
| A server side request forgery vulnerability was identified in Kibana where the /api/fleet/health_check API could be used to send requests to internal endpoints. Due to the nature of the underlying request, only endpoints available over https that return JSON could be accessed. This can be carried out by users with read access to Fleet. | |||||
| CVE-2024-37288 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 9.9 CRITICAL |
| A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. This issue only affects users that use Elastic Security’s built-in AI tools https://www.elastic.co/guide/en/security/current/ai-for-security.html and have configured an Amazon Bedrock connector https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html . | |||||
| CVE-2024-37285 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 9.1 CRITICAL |
| A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token | |||||
| CVE-2024-37286 | 1 Elastic | 1 Apm Server | 2025-12-03 | N/A | 5.7 MEDIUM |
| APM server logs contain document body from a partially failed bulk index request. For example, in case of unavailable_shards_exception for a specific document, since the ES response line contains the document body, and that APM server logs the ES response line on error, the document is effectively logged. | |||||
| CVE-2024-37279 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 4.3 MEDIUM |
| A flaw was discovered in Kibana, allowing view-only users of alerting to use the run_soon API making the alerting rule run continuously, potentially affecting the system availability if the alerting rule is running complex queries. | |||||
| CVE-2024-37287 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 9.1 CRITICAL |
| A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. | |||||
| CVE-2024-37281 | 1 Elastic | 1 Kibana | 2025-12-03 | N/A | 6.5 MEDIUM |
| An issue was discovered in Kibana where a user with Viewer role could cause a Kibana instance to crash by sending a large number of maliciously crafted requests to a specific endpoint. | |||||
| CVE-2024-37283 | 1 Elastic | 1 Elastic Agent | 2025-12-03 | N/A | 6.5 MEDIUM |
| An issue was discovered whereby Elastic Agent will leak secrets from the agent policy elastic-agent.yml only when the log level is configured to debug. By default the log level is set to info, where no leak occurs. | |||||
| CVE-2023-49921 | 1 Elastic | 1 Elasticsearch | 2025-12-03 | N/A | 5.2 MEDIUM |
| An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw contents of documents stored in Elasticsearch to be printed in logs. Elastic has released 8.11.2 and 7.17.16 that resolves this issue by removing this excessive logging. This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using: org.elasticsearch.xpack.watcher.input.search, org.elasticsearch.xpack.watcher.input, org.elasticsearch.xpack.watcher, or wider, since the loggers are hierarchical. | |||||