CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37282
https://notcve.org/view.php?id=CVE-2024-37282
28 Jun 2024 — It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-7-2-security-update-esa-2024-18/362181 • CWE-285: Improper Authorization •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-31418 – Elasticsearch uncontrolled resource consumption
https://notcve.org/view.php?id=CVE-2023-31418
26 Oct 2023 — An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild. Se identificó un problema con la forma en que Elasticsearch manejó las solicitudes entrantes en la capa HTTP. Un usuario no a... • https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23716
https://notcve.org/view.php?id=CVE-2022-23716
28 Sep 2022 — A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster. Se ha detectado un fallo en ECE versiones anteriores a 3.1.1, que podía conllevar a una revelación de la clave privada de firma de SAML usada para las funciones RBAC, en los registros de despliegue del clúster de registro y supervisión • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-1-1-security-update/315317 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23715
https://notcve.org/view.php?id=CVE-2022-23715
25 Aug 2022 — A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore Se ha detectado un fallo en ECE versiones anteriores a 3.4.0, que podría conducir a una divulgación de información confidencial, como las contras... • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3829
https://notcve.org/view.php?id=CVE-2018-3829
19 Sep 2018 — In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data. En Elastic Cloud Enterprise (ECE) en versiones anteriores a la 1.1.4, se ha descubierto que un usuario podría sacar de su escala los asignadores en nuevos hosts con un token de r... • https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778 • CWE-285: Improper Authorization CWE-290: Authentication Bypass by Spoofing •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3828
https://notcve.org/view.php?id=CVE-2018-3828
19 Sep 2018 — Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials. Elastic Cloud Enterprise (ECE), en versiones anteriores a la 1.1.4, contiene una vulnerabilidad de exposi... • https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3825
https://notcve.org/view.php?id=CVE-2018-3825
19 Sep 2018 — In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known. En Elastic Cloud Enterprise (ECE) en versiones anteriores a la 1.1.4, una clave de cifrado maestra por... • https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778 • CWE-321: Use of Hard-coded Cryptographic Key CWE-1188: Initialization of a Resource with an Insecure Default •