org.elasticsearch:elasticsearch@7.1.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.elasticsearch:elasticsearch package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Uncontrolled Recursion

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Uncontrolled Recursion when processing a document in a deeply nested pipeline on an ingest node, causing the node to crash.

How to fix Uncontrolled Recursion?

Upgrade org.elasticsearch:elasticsearch to version 7.17.19, 8.13.0 or higher.

[,7.17.19) [8.0.0-alpha1,8.13.0)
  • M
Insertion of Sensitive Information into Log File

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to the logging of Watcher search input at the DEBUG log level, which may result in the unintended recording of sensitive information in log files. An attacker can gain access to sensitive data by examining the log files that contain the search query results.

Note:

This issue only affects users that use Watcher and have a Watch defined that uses the search input and additionally have set the search input’s logger to DEBUG or finer, for example using:

org.elasticsearch.xpack.watcher.input.search

org.elasticsearch.xpack.watcher.input

org.elasticsearch.xpack.watcher or wider, since the loggers are hierarchical.

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.elasticsearch:elasticsearch to version 7.17.16, 8.11.2 or higher.

[7.0.0,7.17.16) [8.0.0,8.11.2)
  • H
Improper Handling of Exceptional Conditions

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions when the script processor of an Ingest Pipeline is used with malformed scripts. A user can cause a node to crash by calling the Simulate Pipeline API.

How to fix Improper Handling of Exceptional Conditions?

Upgrade org.elasticsearch:elasticsearch to version 7.17.14, 8.10.3 or higher.

[7.0.0,7.17.14) [8.0.0,8.10.3)
  • H
Uncontrolled Resource Consumption ('Resource Exhaustion')

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when handling incoming requests on the HTTP layer. An attacker can force a node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade org.elasticsearch:elasticsearch to version 7.17.13, 8.9.0 or higher.

[,7.17.13) [8.0.0,8.9.0)
  • M
Stack-based Buffer Overflow

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the _search API.

How to fix Stack-based Buffer Overflow?

Upgrade org.elasticsearch:elasticsearch to version 7.17.13, 8.9.1 or higher.

[7.0.0,7.17.13) [8.0.0,8.9.1)
  • M
Cross-site Scripting (XSS)

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Data Preview Pane which could allow arbitrary JavaScript to be executed in a victim’s browser.

How to fix Cross-site Scripting (XSS)?

Upgrade org.elasticsearch:elasticsearch to version 7.17.1, 8.0.1 or higher.

[,7.17.1) [8.0.0,8.0.1)
  • L
Missing Authorization

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Missing Authorization by allowing users with Read access to the Uptime feature to modify alerting rules. That being said, any new or modified rules would not be enabled, and a user with this privilege could not modify alerting connectors.

How to fix Missing Authorization?

Upgrade org.elasticsearch:elasticsearch to version 7.17.1, 8.0.1 or higher.

[,7.17.1) [8.0.0,8.0.1)
  • M
Denial of Service (DoS)

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the {es} Grok parser. A user with the ability to submit arbitrary queries to {es} could create a malicious Grok query that will crash the {es} node.

How to fix Denial of Service (DoS)?

Upgrade org.elasticsearch:elasticsearch to version 7.13.3, 6.8.17 or higher.

[7.0.0,7.13.3) [,6.8.17)
  • M
Information Disclosure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Disclosure. A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in a search disclosing the existence of documents an authenticated user should not be able to view.

How to fix Information Disclosure?

Upgrade org.elasticsearch:elasticsearch to version 7.11.2, 6.8.15 or higher.

[7.0.0,7.11.2) [,6.8.15)
  • L
Information Disclosure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Disclosure. A document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

How to fix Information Disclosure?

Upgrade org.elasticsearch:elasticsearch to version 7.11.2, 6.8.15 or higher.

[7.0.0,7.11.2) [,6.8.15)
  • L
Information Disclosure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Disclosure. There is an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

How to fix Information Disclosure?

Upgrade org.elasticsearch:elasticsearch to version 6.8.14, 7.10.0 or higher.

[,6.8.14) [7.0.0-alpha1,7.10.0)
  • L
Information Exposure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. It contains a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

How to fix Information Exposure?

Upgrade org.elasticsearch:elasticsearch to version 6.8.13, 7.9.2 or higher.

[0,6.8.13) [7.0.0,7.9.2)
  • H
Privilege Escalation

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Privilege Escalation. The package contains a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

How to fix Privilege Escalation?

Upgrade org.elasticsearch:elasticsearch to version 6.8.8, 7.6.2 or higher.

[6.7.0,6.8.8) [7.0.0,7.6.2)
  • H
Privilege Escalation

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Privilege Escalation. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

How to fix Privilege Escalation?

Upgrade org.elasticsearch:elasticsearch to version 6.8.8, 7.6.2 or higher.

[6.7.0,6.8.8) [7.0.0,7.6.2)
  • L
Information Exposure

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

How to fix Information Exposure?

Upgrade org.elasticsearch:elasticsearch to version 7.4.0, 6.8.4 or higher.

[7.0.0,7.4.0) [6.0.0,6.8.4)
  • M
Race Condition

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Race Condition. ‎On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.

How to fix Race Condition?

Upgrade org.elasticsearch:elasticsearch to version 6.8.2, 7.2.1 or higher.

[,6.8.2) [7.0.0,7.2.1)