CVE-2024-37282
https://notcve.org/view.php?id=CVE-2024-37282
It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-7-2-security-update-esa-2024-18/362181 • CWE-285: Improper Authorization •
CVE-2023-31418 – Elasticsearch uncontrolled resource consumption
https://notcve.org/view.php?id=CVE-2023-31418
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. The issue was identified by Elastic Engineering and we have no indication that the issue is known or that it is being exploited in the wild. Se identificó un problema con la forma en que Elasticsearch manejó las solicitudes entrantes en la capa HTTP. Un usuario no autenticado podría forzar la salida de un nodo de Elasticsearch con un error OutOfMemory enviando una cantidad moderada de solicitudes HTTP con formato incorrecto. • https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616 https://security.netapp.com/advisory/ntap-20231130-0005 https://www.elastic.co/community/security • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-23716
https://notcve.org/view.php?id=CVE-2022-23716
A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key used for the RBAC features, in deployment logs in the Logging and Monitoring cluster. Se ha detectado un fallo en ECE versiones anteriores a 3.1.1, que podía conllevar a una revelación de la clave privada de firma de SAML usada para las funciones RBAC, en los registros de despliegue del clúster de registro y supervisión • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-1-1-security-update/315317 https://www.elastic.co/community/security • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-23715
https://notcve.org/view.php?id=CVE-2022-23715
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore Se ha detectado un fallo en ECE versiones anteriores a 3.4.0, que podría conducir a una divulgación de información confidencial, como las contraseñas de los usuarios y los valores de configuración de los almacenes de claves de Elasticsearch, en registros tales como el registro de auditoría o los registros de despliegue en el clúster de registro y supervisión. Las APIs afectadas son PATCH /api/v1/user y PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore • https://discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825 https://www.elastic.co/community/security • CWE-532: Insertion of Sensitive Information into Log File •