org.elasticsearch:elasticsearch 7.0.0-alpha2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.elasticsearch:elasticsearch package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Missing Encryption of Sensitive Data org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data when creating a new Certificate Signing Request via the `elasticsearch-certutil` tool with the `csr` option. The private key that is generated is stored on disk unencrypted even if the `--pass` parameter is passed in the command invocation. How to fix Missing Encryption of Sensitive Data? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.23, 8.13.0 or higher.	[,7.17.23)[8.0.0-alpha1,8.13.0)
M Uncontrolled Recursion org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Uncontrolled Recursion when processing a document in a deeply nested pipeline on an ingest node, causing the node to crash. How to fix Uncontrolled Recursion? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.19, 8.13.0 or higher.	[,7.17.19)[8.0.0-alpha1,8.13.0)
H Uncontrolled Resource Consumption ('Resource Exhaustion') org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when handling incoming requests on the HTTP layer. An attacker can force a node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests. How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.13, 8.9.0 or higher.	[,7.17.13)[8.0.0,8.9.0)
M Cross-site Scripting (XSS) org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `Data Preview Pane` which could allow arbitrary JavaScript to be executed in a victim’s browser. How to fix Cross-site Scripting (XSS)? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.1, 8.0.1 or higher.	[,7.17.1)[8.0.0,8.0.1)
L Missing Authorization org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Missing Authorization by allowing users with `Read` access to the `Uptime` feature to modify alerting rules. That being said, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors. How to fix Missing Authorization? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.1, 8.0.1 or higher.	[,7.17.1)[8.0.0,8.0.1)
L Information Disclosure org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Information Disclosure. There is an information disclosure issue when audit logging and the `emit_request_body` option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details. How to fix Information Disclosure? Upgrade `org.elasticsearch:elasticsearch` to version 6.8.14, 7.10.0 or higher.	[,6.8.14)[7.0.0-alpha1,7.10.0)

Vulnerability

Vulnerable Version

Missing Encryption of Sensitive Data

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data when creating a new Certificate Signing Request via the elasticsearch-certutil tool with the csr option. The private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

How to fix Missing Encryption of Sensitive Data?

Upgrade org.elasticsearch:elasticsearch to version 7.17.23, 8.13.0 or higher.

[,7.17.23)[8.0.0-alpha1,8.13.0)

Uncontrolled Recursion

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Uncontrolled Recursion when processing a document in a deeply nested pipeline on an ingest node, causing the node to crash.

How to fix Uncontrolled Recursion?

Upgrade org.elasticsearch:elasticsearch to version 7.17.19, 8.13.0 or higher.

[,7.17.19)[8.0.0-alpha1,8.13.0)

Uncontrolled Resource Consumption ('Resource Exhaustion')

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when handling incoming requests on the HTTP layer. An attacker can force a node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade org.elasticsearch:elasticsearch to version 7.17.13, 8.9.0 or higher.

[,7.17.13)[8.0.0,8.9.0)

Cross-site Scripting (XSS)

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Data Preview Pane which could allow arbitrary JavaScript to be executed in a victim’s browser.

How to fix Cross-site Scripting (XSS)?

Upgrade org.elasticsearch:elasticsearch to version 7.17.1, 8.0.1 or higher.

[,7.17.1)[8.0.0,8.0.1)

Missing Authorization

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Missing Authorization by allowing users with Read access to the Uptime feature to modify alerting rules. That being said, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors.

How to fix Missing Authorization?

Upgrade org.elasticsearch:elasticsearch to version 7.17.1, 8.0.1 or higher.

[,7.17.1)[8.0.0,8.0.1)

Information Disclosure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Disclosure. There is an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

How to fix Information Disclosure?

Upgrade org.elasticsearch:elasticsearch to version 6.8.14, 7.10.0 or higher.

[,6.8.14)[7.0.0-alpha1,7.10.0)

org.elasticsearch:elasticsearch@7.0.0-alpha2 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?