CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23715
https://notcve.org/view.php?id=CVE-2022-23715
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore Se ha detectado un fallo en ECE versiones anteriores a 3.4.0, que podría conducir a una divulgación de información confidencial, como las contraseñas de los usuarios y los valores de configuración de los almacenes de claves de Elasticsearch, en registros tales como el registro de auditoría o los registros de despliegue en el clúster de registro y supervisión. Las APIs afectadas son PATCH /api/v1/user y PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825 https://www.elastic.co/community/security • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-23714
https://notcve.org/view.php?id=CVE-2022-23714
A local privilege escalation (LPE) issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account. Se ha detectado un problema de escalada de privilegios locales (LPE) en las funcionalidades de ransomware canaries de Elastic Endpoint Security para Windows, que podría permitir a usuarios no privilegiados elevar sus privilegios a los de la cuenta LocalSystem • https://discuss.elastic.co/t/elastic-8-3-1-8-3-0-and-7-17-5-security-update/308613 https://www.elastic.co/community/security • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23713
https://notcve.org/view.php?id=CVE-2022-23713
A cross-site-scripting (XSS) vulnerability was discovered in the Vega Charts Kibana integration which could allow arbitrary JavaScript to be executed in a victim’s browser. Se ha detectado una vulnerabilidad de tipo cross-site-scripting (XSS) en la integración de Vega Charts Kibana, que podría permitir la ejecución de JavaScript arbitrario en el navegador de la víctima • https://discuss.elastic.co/t/elastic-8-3-1-8-3-0-and-7-17-5-security-update/308613 https://www.elastic.co/community/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23712
https://notcve.org/view.php?id=CVE-2022-23712
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. Se ha detectado un fallo de Denegación de Servicio en Elasticsearch. Usando esta vulnerabilidad, un atacante no autenticado podría cerrar por la fuerza un nodo de Elasticsearch con una petición de red con un formato específico • https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530 https://security.netapp.com/advisory/ntap-20220707-0010 https://www.elastic.co/community/security • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23711
https://notcve.org/view.php?id=CVE-2022-23711
A vulnerability in Kibana could expose sensitive information related to Elastic Stack monitoring in the Kibana page source. Elastic Stack monitoring features provide a way to keep a pulse on the health and performance of your Elasticsearch cluster. Authentication with a vulnerable Kibana instance is not required to view the exposed information. The Elastic Stack monitoring exposure only impacts users that have set any of the optional monitoring.ui.elasticsearch.* settings in order to configure Kibana as a remote UI for Elastic Stack Monitoring. The same vulnerability in Kibana could expose other non-sensitive application-internal information in the page source. • https://discuss.elastic.co/t/kibana-7-17-3-and-8-1-3-security-update/302826 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •