Max CVSS | 10.0 | Min CVSS | 2.1 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2019-7609 | 10.0 |
Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly le
|
24-07-2024 - 16:58 | 25-03-2019 - 19:29 | |
CVE-2020-7010 | 5.0 |
Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the
|
10-02-2024 - 03:00 | 03-06-2020 - 18:15 | |
CVE-2019-7616 | 4.0 |
Kibana versions before 6.8.2 and 7.2.1 contain a server side request forgery (SSRF) flaw in the graphite integration for Timelion visualizer. An attacker with administrative Kibana access could set the timelion:graphite.url configuration option to an
|
03-03-2023 - 19:17 | 30-07-2019 - 22:15 | |
CVE-2019-7614 | 4.3 |
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header co
|
03-03-2023 - 19:17 | 30-07-2019 - 22:15 | |
CVE-2019-7615 | 5.8 |
A TLS certificate validation flaw was found in Elastic APM agent for Ruby versions before 2.9.0. When specifying a trusted server CA certificate via the 'server_ca_cert' setting, the Ruby agent would not properly verify the certificate returned by th
|
03-03-2023 - 17:48 | 30-07-2019 - 22:15 | |
CVE-2020-7016 | 2.1 |
Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL that when viewed by a Kibana user can lead to the Kibana process consuming large amounts of CPU and becoming unresponsive.
|
16-11-2022 - 03:54 | 27-07-2020 - 18:15 | |
CVE-2020-7017 | 4.6 |
In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is able to edit or create a region map visualization could obtain sensitive information or perform destructive actions on behalf of
|
07-10-2022 - 17:56 | 27-07-2020 - 18:15 | |
CVE-2019-7611 | 6.8 |
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.securi
|
19-10-2020 - 18:10 | 25-03-2019 - 19:29 | |
CVE-2019-7613 | 5.0 |
Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient logging flaw. An attacker able to inject certain characters into a log entry could prevent Winlogbeat from recording the event.
|
06-10-2020 - 13:18 | 25-03-2019 - 19:29 | |
CVE-2019-7612 | 5.0 |
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as p
|
05-10-2020 - 20:38 | 25-03-2019 - 19:29 | |
CVE-2020-7013 | 6.5 |
Kibana versions before 6.8.9 and 7.7.0 contain a prototype pollution flaw in TSVB. An authenticated attacker with privileges to create TSVB visualizations could insert data that would cause Kibana to execute arbitrary code. This could possibly lead t
|
26-06-2020 - 18:55 | 03-06-2020 - 18:15 | |
CVE-2020-7014 | 6.5 |
The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able
|
19-06-2020 - 11:15 | 03-06-2020 - 18:15 | |
CVE-2020-7015 | 3.5 |
Kibana versions before 6.8.9 and 7.7.0 contains a stored XSS flaw in the TSVB visualization. An attacker who is able to edit or create a TSVB visualization could allow the attacker to obtain sensitive information from, or perform destructive actions,
|
05-06-2020 - 18:48 | 03-06-2020 - 18:15 | |
CVE-2020-7012 | 6.5 |
Kibana versions 6.7.0 to 6.8.8 and 7.0.0 to 7.6.2 contain a prototype pollution flaw in the Upgrade Assistant. An authenticated attacker with privileges to write to the Kibana index could insert data that would cause Kibana to execute arbitrary code.
|
05-06-2020 - 18:36 | 03-06-2020 - 18:15 | |
CVE-2020-7011 | 4.3 |
Elastic App Search versions before 7.7.0 contain a cross site scripting (XSS) flaw when displaying document URLs in the Reference UI. If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is abl
|
05-06-2020 - 18:11 | 03-06-2020 - 18:15 | |
CVE-2020-7009 | 6.5 |
Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API ke
|
09-04-2020 - 14:58 | 31-03-2020 - 19:15 | |
CVE-2019-7621 | 3.5 |
Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting (XSS) flaw in the coordinate and region map visualizations. An attacker with the ability to create coordinate map visualizations could create a malicious visualization. If another
|
10-02-2020 - 21:53 | 18-12-2019 - 20:15 | |
CVE-2019-7617 | 6.4 |
When the Elastic APM agent for Python versions before 5.1.0 is run as a CGI script, there is a variable name clash flaw if a remote attacker can control the proxy header. This could result in an attacker redirecting collected APM data to a proxy of t
|
09-10-2019 - 23:52 | 22-08-2019 - 17:15 | |
CVE-2019-7608 | 4.3 |
Kibana versions before 5.6.15 and 6.6.1 had a cross-site scripting (XSS) vulnerability that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users.
|
27-09-2019 - 05:15 | 25-03-2019 - 19:29 | |
CVE-2019-7610 | 9.3 |
Kibana versions before 6.6.1 contain an arbitrary code execution flaw in the security audit logger. If a Kibana instance has the setting xpack.security.audit.enabled set to true, an attacker could send a request that will attempt to execute javascrip
|
30-07-2019 - 22:15 | 25-03-2019 - 19:29 |