elasticsearch
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | Unknown |
| Version | Removed |
Open
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-1638 | 7.10.2-2 | Medium | Unknown | FS#70137 |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-22145 | AVG-1638 | Medium | Yes | Information disclosure | A memory disclosure vulnerability was identified in Elasticsearch’s error reporting in versions 7.10.0 up to 7.13.3. A user with the ability to submit... |
| CVE-2021-22144 | AVG-1638 | Medium | Yes | Denial of service | An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser before versions 7.13.3... |
| CVE-2021-22137 | AVG-1638 | Medium | Yes | Information disclosure | A document disclosure flaw was found in Elasticsearch versions before 6.8.15 and 7.11.2 when Document or Field Level Security is used. Search queries do not... |
| CVE-2021-22135 | AVG-1638 | Medium | Yes | Information disclosure | In Elasticsearch versions before 7.11.2 and 6.8.15, a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and... |
| CVE-2021-22134 | AVG-1638 | Low | Yes | Information disclosure | A document disclosure flaw was found in Elasticsearch before version 7.11.0 when Document or Field Level Security is used. Get requests do not properly... |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2620 | 7.10.2-1 | 7.10.2-2 | Critical | Fixed | FS#72975 |
| AVG-2342 | 7.10.2-1 | Medium | Not affected | ||
| AVG-1884 | 7.10.1-1 | Critical | Not affected | ||
| AVG-1455 | 7.10.1-1 | 7.10.2-1 | Medium | Fixed | FS#70061 |
| AVG-912 | 6.6.0-1 | 6.6.1-1 | High | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2021-44228 | AVG-2620 | Critical | Yes | Arbitrary code execution | Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI... |
| CVE-2021-37937 | AVG-2342 | Medium | Yes | Privilege escalation | A security issue has been found in Elasticsearch versions from 7.13.0 through 7.14.0. An issue was found with how API keys are created with the fleet-server... |
| CVE-2021-22149 | AVG-1884 | High | Yes | Access restriction bypass | A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were missing authorization via an alternate... |
| CVE-2021-22148 | AVG-1884 | High | Yes | Access restriction bypass | A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were not bound to the same engines as their... |
| CVE-2021-22147 | AVG-1884 | Medium | Yes | Information disclosure | A flaw was discovered in Elasticsearch versions 7.11.0 to 7.13.4 where document and field level security was not applied to searchable snapshots. This could... |
| CVE-2021-22140 | AVG-1884 | Critical | Yes | Xml external entity injection | An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being... |
| CVE-2021-22132 | AVG-1455 | Medium | Yes | Information disclosure | Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly... |
| CVE-2019-7611 | AVG-912 | High | Yes | Privilege escalation | A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split... |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 25 Feb 2019 | ASA-201902-27 | AVG-912 | High | privilege escalation |