CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-31417 – Elasticsearch Insertion of sensitive information in audit logs
https://notcve.org/view.php?id=CVE-2023-31417
26 Oct 2023 — Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering was not applied when requests to Elasticsearch use certain deprecated URIs for APIs. The impact of this flaw is that sensitive information such as passwords and tokens might be printed in cleartext in Elasticsearch audit logs. Note that audit logging is disabled by default and needs to be explicitly enabled and even when audit logging is enabled, request bodies that cou... • https://discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-31418 – Elasticsearch uncontrolled resource consumption
https://notcve.org/view.php?id=CVE-2023-31418
26 Oct 2023 — An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild. Se identificó un problema con la forma en que Elasticsearch manejó las solicitudes entrantes en la capa HTTP. Un usuario no a... • https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 11%CPEs: 2EXPL: 3CVE-2023-31419 – Elasticsearch StackOverflow vulnerability
https://notcve.org/view.php?id=CVE-2023-31419
22 Sep 2023 — A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service. Se descubrió una falla en Elasticsearch que afectaba a la API _search y permitía que una cadena de consulta especialmente manipulada provocara un desbordamiento de pila y, en última instancia, una denegación de servicio. • https://packetstorm.news/files/id/174807 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23712
https://notcve.org/view.php?id=CVE-2022-23712
06 Jun 2022 — A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request. Se ha detectado un fallo de Denegación de Servicio en Elasticsearch. Usando esta vulnerabilidad, un atacante no autenticado podría cerrar por la fuerza un nodo de Elasticsearch con una petición de red con un formato específico • https://discuss.elastic.co/t/elastic-stack-7-17-4-and-8-2-1-security-update/305530 • CWE-754: Improper Check for Unusual or Exceptional Conditions •