Known Vulnerabilities for products from Elasticsearch
Listed below are 16 of the newest known vulnerabilities associated with the vendor "Elasticsearch".
These CVEs are retrieved based on exact matches on listed vendor information (CPE data) as well as a keyword search to ensure the newest vulnerabilities with no officially listed vendor information are still displayed.
Data on known vulnerable products is also displayed based on information from known CPEs, each product links to its respective vulnerability page.
Known Vulnerabilities
| CVE | Shortened Description | Severity | Publish Date | Last Modified |
|---|---|---|---|---|
| CVE-2026-5417 | Not Provided | 2026-04-02 | 2026-04-02 | |
| CVE-2020-7017 | In Kibana versions before 6.8.11 and 7.8.1 the region map visualization in contains a stored XSS flaw. An attacker who is abl... | 6.7 - MEDIUM | 2020-07-27 | 2022-10-07 |
| CVE-2020-7016 | Kibana versions before 6.8.11 and 7.8.1 contain a denial of service (DoS) flaw in Timelion. An attacker can construct a URL t... | 4.8 - MEDIUM | 2020-07-27 | 2022-11-16 |
| CVE-2017-14730 | The init script in the Gentoo app-admin/logstash-bin package before 5.5.3 and 5.6.x before 5.6.1 has "chown -R" calls for use... | 7.8 - HIGH | 2017-09-25 | 2019-10-03 |
| CVE-2017-11480 | Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat... | 7.5 - HIGH | 2017-12-08 | 2019-10-09 |
| CVE-2017-11479 | Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obt... | 6.1 - MEDIUM | 2017-09-29 | 2020-08-14 |
| CVE-2017-8446 | The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 h... | 5.3 - MEDIUM | 2017-08-18 | 2019-10-09 |
| CVE-2017-8444 | The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an ... | 5.9 - MEDIUM | 2017-09-29 | 2019-10-09 |
| CVE-2016-10362 | Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP... | 6.5 - MEDIUM | 2017-06-16 | 2019-10-09 |
| CVE-2015-5619 | Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS... | 5.9 - MEDIUM | 2017-08-09 | 2019-06-17 |
| CVE-2015-5531 | Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecifi... | 5 - MEDIUM | 2015-08-17 | 2018-10-09 |
| CVE-2015-5378 | Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder ... | 7.5 - HIGH | 2017-06-27 | 2019-06-17 |
| CVE-2015-4165 | The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and e... | 7.5 - HIGH | 2017-08-09 | 2018-10-09 |
| CVE-2015-3337 | Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows... | 4.3 - MEDIUM | 2015-05-01 | 2015-06-25 |
| CVE-2015-1427 | The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbo... | 7.5 - HIGH | 2015-02-17 | 2018-10-09 |
| CVE-2014-6439 | Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attacker... | 4.3 - MEDIUM | 2014-10-10 | 2018-10-09 |
| CVE-2014-3120 | The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arb... | 6.8 - MEDIUM | 2014-07-28 | 2016-12-06 |
Known software with vulnerabilities from Elasticsearch
| Type | Vendor | Product | Version |
|---|---|---|---|
| Application | Elasticsearch | Elasticsearch | 1.1.1 |
| Application | Elasticsearch | Kibana | 0.4.0 |
| Application | Elasticsearch | Logstash | 1.0.14 |
| Application | Elasticsearch | Packetbeat | 0.1.0 |