CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46669 – Elastic Agent / Elastic Endpoint Security local API key disclosure
https://notcve.org/view.php?id=CVE-2023-46669
01 May 2025 — Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. • https://discuss.elastic.co/t/elastic-agent-elastic-endpoint-security-security-update-esa-2025-03/377706 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25013 – Elastic Defend Insertion of Sensitive Information into Log Files
https://notcve.org/view.php?id=CVE-2025-25013
08 Apr 2025 — Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. • https://discuss.elastic.co/t/elastic-defend-8-17-3-security-update-esa-2025-05/376921 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12556 – Kibana Prototype Pollution can lead to code injection
https://notcve.org/view.php?id=CVE-2024-12556
08 Apr 2025 — Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. • https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52981
https://notcve.org/view.php?id=CVE-2024-52981
08 Apr 2025 — An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection objects could cause a stackoverflow. • https://discuss.elastic.co/t/elasticsearch-7-17-24-and-8-15-1-security-update-esa-2024-37/376924 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52974
https://notcve.org/view.php?id=CVE-2024-52974
08 Apr 2025 — An issue has been identified where a specially crafted request sent to an Observability API could cause the kibana server to crash. A successful attack requires a malicious user to have read permissions for Observability assigned to them. • https://discuss.elastic.co/t/kibana-7-17-23-and-8-15-1-security-update-esa-2024-36/376923 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52980 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52980
08 Apr 2025 — A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class could cause the Elasticsearch node to crash. A successful attack requires a malicious user to have read_pipeline Elasticsearch cluster privilege assigned to them. • https://discuss.elastic.co/t/elasticsearch-8-15-1-security-update-esa-2024-34/376919 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25015 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2025-25015
05 Mar 2025 — Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges: fleet-all, integrations-all, actions:execute-advanced-connectors La contaminación de prototipos en Kibana conduce a la ejecución de código arbitrario a trav... • https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-43708
https://notcve.org/view.php?id=CVE-2024-43708
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted payload to a number of inputs in Kibana UI. This can be carried out by users with read access to any feature in Kibana. Una asignación de recursos sin límites ni limitaciones en Kibana puede provocar un bloqueo causado por un payload especialmente manipulado para una serie de entradas en la interfaz de usuario de Kibana. Esto lo pueden llevar a cabo los usuarios con acceso de lectura a cualqui... • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52975 – Fleet Server sensitive information exposure via logs
https://notcve.org/view.php?id=CVE-2024-52975
23 Jan 2025 — An issue was identified in Fleet Server where Fleet policies that could contain sensitive information were logged on INFO and ERROR log levels. The nature of the sensitive information largely depends on the integrations enabled. • https://discuss.elastic.co/t/fleet-server-8-15-0-security-update-esa-2024-31/373522 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52972 – Kibana allocation of resources without limits or throttling leads to crash
https://notcve.org/view.php?id=CVE-2024-52972
23 Jan 2025 — An allocation of resources without limits or throttling in Kibana can lead to a crash caused by a specially crafted request to /api/metrics/snapshot. This can be carried out by users with read access to the Observability Metrics or Logs features in Kibana. • https://discuss.elastic.co/t/kibana-7-17-23-8-15-0-security-updates-esa-2024-32-esa-2024-33/373548 • CWE-770: Allocation of Resources Without Limits or Throttling •