org.elasticsearch:elasticsearch (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.elasticsearch:elasticsearch, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVE-2018-3831 — CVSS 8.8 (high): Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured…
CVE-2020-7014 — CVSS 8.8 (high): The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege…
CVE-2020-7009 — CVSS 8.8 (high): Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create…
CVE-2019-7611 — CVSS 8.1 (high): A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are…
CVE-2022-23712 — CVSS 7.5 (high): A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an…
CVE-2023-31418 — CVSS 7.5 (high): An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an…
CVE-2015-4165 — CVSS 7.5 (high): The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code…
CVE-2025-37731 — CVSS 6.8 (medium): Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious…
CVE-2024-43709 — CVSS 6.5 (medium): An allocation of resources without limits or throttling in Elasticsearch can lead to an OutOfMemoryError exception resulting in a crash via…
CVE-2018-17244 — CVSS 6.5 (medium): Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active…
CVE-2020-7019 — CVSS 6.5 (medium): In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a…
CVE-2021-22144 — CVSS 6.5 (medium): In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack…
CVE-2021-22147 — CVSS 6.5 (medium): Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated…
CVE-2023-31419 — CVSS 6.5 (medium): A flaw was discovered in Elasticsearch, affecting the _search API that allowed a specially crafted query string to cause a Stack Overflow…
CVE-2023-46673 — CVSS 6.5 (medium): It was identified that malformed scripts used in the script processor of an Ingest Pipeline could cause an Elasticsearch node to crash when…
CVE-2024-12539 — CVSS 6.5 (medium): An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent…
CVE-2024-52979 — CVSS 6.5 (medium): Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead…
CVE-2024-52980 — CVSS 6.5 (medium): A flaw was discovered in Elasticsearch, where a large recursion using the innerForbidCircularReferences function of the PatternBank class…
CVE-2018-3824 — CVSS 6.1 (medium): X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject…
CVE-2018-17247 — CVSS 5.9 (medium): Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing…
CVE-2019-7614 — CVSS 5.9 (medium): A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system…
CVE-2025-37727 — CVSS 5.7 (medium): Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when…
CVE-2021-22137 — CVSS 5.3 (medium): In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used…
CVE-2019-7619 — CVSS 5.3 (medium): Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated…
CVE-2021-22135 — CVSS 5.3 (medium): Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API…
CVE-2023-49921 — CVSS 5.2 (medium): An issue was discovered by Elastic whereby Watcher search input logged the search query results on DEBUG log level. This could lead to raw…
CVE-2015-5531 — CVSS 5.0 (medium): Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors…
CVE-2024-52981 — CVSS 4.9 (medium): An issue was discovered in Elasticsearch, where a large recursion using the Well-KnownText formatted string with nested GeometryCollection…
CVE-2024-37280 — CVSS 4.9 (medium): A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of…
CVE-2024-23444 — CVSS 4.9 (medium): It was discovered by Elastic engineering that when elasticsearch-certutil CLI tool is used with the csr option in order to create a new…
CVE-2024-23450 — CVSS 4.9 (medium): A flaw was discovered in Elasticsearch, where processing a document in a deeply nested pipeline on an ingest node could cause the…
CVE-2020-7021 — CVSS 4.9 (medium): Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is…
CVE-2021-22132 — CVSS 4.8 (medium): Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search…
CVE-2024-23451 — CVSS 4.4 (medium): Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in…
CVE-2024-23449 — CVSS 4.3 (medium): An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the…
CVE-2015-3337 — CVSS 4.3 (medium): Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote…
CVE-2022-23708 — CVSS 4.3 (medium): A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built…
CVE-2014-6439 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject…
CVE-2021-22134 — CVSS 4.3 (medium): A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used…
CVE-2023-31417 — CVSS 4.1 (medium): Elasticsearch generally filters out sensitive information and credentials before logging to the audit log. It was found that this filtering…
CVE-2020-7020 — CVSS 3.1 (low): Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search…