org.elasticsearch:elasticsearch 8.0.0-alpha1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.elasticsearch:elasticsearch package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the reindex request due to redacting certain fields from the body of rest requests in audit logs. An attacker can obtain sensitive information by triggering audit logs that capture confidential data during request processing. How to fix Insertion of Sensitive Information into Log File? Upgrade `org.elasticsearch:elasticsearch` to version 8.18.8, 8.19.5, 9.0.8, 9.1.5 or higher.	[,8.18.8)[8.19.0,8.19.5)[9.0.0-beta1,9.0.8)[9.1.0,9.1.5)
H Denial of Service (DoS) org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Denial of Service (DoS) via specifically crafted search templates with Mustache functions. An attacker can cause the Elasticsearch node to crash by sending malicious search templates. How to fix Denial of Service (DoS)? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.25, 8.16.0 or higher.	[,7.17.25)[8.0.0-alpha1,8.16.0)
M Missing Encryption of Sensitive Data org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data when creating a new Certificate Signing Request via the `elasticsearch-certutil` tool with the `csr` option. The private key that is generated is stored on disk unencrypted even if the `--pass` parameter is passed in the command invocation. How to fix Missing Encryption of Sensitive Data? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.23, 8.13.0 or higher.	[,7.17.23)[8.0.0-alpha1,8.13.0)
M Uncontrolled Recursion org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine. Affected versions of this package are vulnerable to Uncontrolled Recursion when processing a document in a deeply nested pipeline on an ingest node, causing the node to crash. How to fix Uncontrolled Recursion? Upgrade `org.elasticsearch:elasticsearch` to version 7.17.19, 8.13.0 or higher.	[,7.17.19)[8.0.0-alpha1,8.13.0)

Vulnerability

Vulnerable Version

Insertion of Sensitive Information into Log File

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the reindex request due to redacting certain fields from the body of rest requests in audit logs. An attacker can obtain sensitive information by triggering audit logs that capture confidential data during request processing.

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.elasticsearch:elasticsearch to version 8.18.8, 8.19.5, 9.0.8, 9.1.5 or higher.

[,8.18.8)[8.19.0,8.19.5)[9.0.0-beta1,9.0.8)[9.1.0,9.1.5)

Denial of Service (DoS)

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via specifically crafted search templates with Mustache functions. An attacker can cause the Elasticsearch node to crash by sending malicious search templates.

How to fix Denial of Service (DoS)?

Upgrade org.elasticsearch:elasticsearch to version 7.17.25, 8.16.0 or higher.

[,7.17.25)[8.0.0-alpha1,8.16.0)

Missing Encryption of Sensitive Data

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data when creating a new Certificate Signing Request via the elasticsearch-certutil tool with the csr option. The private key that is generated is stored on disk unencrypted even if the --pass parameter is passed in the command invocation.

How to fix Missing Encryption of Sensitive Data?

Upgrade org.elasticsearch:elasticsearch to version 7.17.23, 8.13.0 or higher.

[,7.17.23)[8.0.0-alpha1,8.13.0)

Uncontrolled Recursion

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Uncontrolled Recursion when processing a document in a deeply nested pipeline on an ingest node, causing the node to crash.

How to fix Uncontrolled Recursion?

Upgrade org.elasticsearch:elasticsearch to version 7.17.19, 8.13.0 or higher.

[,7.17.19)[8.0.0-alpha1,8.13.0)

org.elasticsearch:elasticsearch@8.0.0-alpha1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically