CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 1CVE-2025-25014 – Kibana arbitrary code execution via prototype pollution
https://notcve.org/view.php?id=CVE-2025-25014
06 May 2025 — A Prototype pollution vulnerability in Kibana leads to arbitrary code execution via crafted HTTP requests to machine learning and reporting endpoints. • https://github.com/Sratet/CVE-2025-25014 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-37730 – Logstash Improper Certificate Validation in TCP output
https://notcve.org/view.php?id=CVE-2025-37730
06 May 2025 — Improper certificate validation in Logstash's TCP output could lead to a man-in-the-middle (MitM) attack in “client” mode, as hostname verification in TCP output was not being performed when the ssl_verification_mode => full was set. • https://discuss.elastic.co/t/logstash-8-17-6-8-18-1-and-9-0-1-security-update-esa-2025-08/377869 • CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52979 – Elasticsearch Uncontrolled Resource Consumption vulnerability
https://notcve.org/view.php?id=CVE-2024-52979
01 May 2025 — Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. • https://discuss.elastic.co/t/elasticsearch-7-17-25-and-8-16-0-security-update-esa-2024-40/377709 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11390 – Kibana Unrestricted Upload of File with Dangerous Type Can Lead to XSS
https://notcve.org/view.php?id=CVE-2024-11390
01 May 2025 — Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files. The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices. • https://discuss.elastic.co/t/kibana-7-17-24-and-8-12-0-security-update-esa-2024-20/377712 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-25016 – Kibana Unrestricted Upload of File
https://notcve.org/view.php?id=CVE-2025-25016
01 May 2025 — Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. • https://discuss.elastic.co/t/kibana-7-17-19-and-8-13-0-security-update-esa-2024-47/377711 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11994 – APM Server Insertion of Sensitive Information into Log File
https://notcve.org/view.php?id=CVE-2024-11994
01 May 2025 — APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs. • https://discuss.elastic.co/t/apm-server-8-16-1-security-update-esa-2024-41/377710 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52976 – Elastic Agent Inclusion of Functionality from Untrusted Control Sphere
https://notcve.org/view.php?id=CVE-2024-52976
01 May 2025 — Inclusion of functionality from an untrusted control sphere in Elastic Agent subprocess, osqueryd, allows local attackers to execute arbitrary code via parameter injection. An attacker requires local access and the ability to modify osqueryd configurations. • https://discuss.elastic.co/t/elastic-agent-7-17-25-and-8-15-4-security-update-esa-2024-39/377708 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46669 – Elastic Agent / Elastic Endpoint Security local API key disclosure
https://notcve.org/view.php?id=CVE-2023-46669
01 May 2025 — Exposure of sensitive information to local unauthorized actors in Elastic Agent and Elastic Security Endpoint can lead to loss of confidentiality and impersonation of Endpoint to the Elastic Stack. This issue was identified by Elastic engineers and Elastic has no indication that it is known or has been exploited by malicious actors. • https://discuss.elastic.co/t/elastic-agent-elastic-endpoint-security-security-update-esa-2025-03/377706 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25013 – Elastic Defend Insertion of Sensitive Information into Log Files
https://notcve.org/view.php?id=CVE-2025-25013
08 Apr 2025 — Improper restriction of environment variables in Elastic Defend can lead to exposure of sensitive information such as API keys and tokens via automatic transmission of unfiltered environment variables to the stack. • https://discuss.elastic.co/t/elastic-defend-8-17-3-security-update-esa-2025-05/376921 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12556 – Kibana Prototype Pollution can lead to code injection
https://notcve.org/view.php?id=CVE-2024-12556
08 Apr 2025 — Prototype Pollution in Kibana can lead to code injection via unrestricted file upload combined with path traversal. • https://discuss.elastic.co/t/kibana-8-16-4-and-8-17-2-security-update-esa-2025-02/376918 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •