CVE 列表 – 发现高风险与在野利用漏洞

聚合 NVD、CVE 及多源情报,深度解析 RCE 等高危风险。系统集成 CVSS 与 EPSS 模型,动态追踪 Exploit 资源与 PoC 公开状态,研判可利用性。结合官方补丁与修复方案,优化漏洞管理优先级,缩短响应周期,保障资产安全。

分配机构(CNA / 来源):[email protected] 移除此筛选

显示 120272 条结果
«« 第一页 « 上一页 第 1 / 14 页 下一页 »
CVE 描述 最高 CVSS EPSS % 公开时间 更新时间
CVE-2017-8438 Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen. 8.8 1.03% 2017-06-05 2026-06-16
CVE-2017-8439 Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug in the Time Series Visual Builder. This bug could allow an attacker to obtain sensitive information from Kibana users. 6.1 0.99% 2017-06-05 2026-06-16
CVE-2017-8440 Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vulnerability in the Discover page that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. 6.1 0.99% 2017-06-05 2026-06-16
CVE-2017-8441 Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias. 4.3 0.73% 2017-06-05 2026-06-16
CVE-2015-9056 Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS attack. 6.1 0.83% 2017-06-16 2026-06-16
CVE-2016-10362 Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. 6.5 1.08% 2017-06-16 2026-06-16
CVE-2016-10363 Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, a remote attacker crafting malicious Netflow v5, Netflow v9 or IPFIX packets could perform a denial of service attack on the Logstash instance. The errors resulting from these crafted inputs are not handled by the codec and can cause the Logstash process to exit. 7.5 1.31% 2017-06-16 2026-06-16
CVE-2016-10364 With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not properly authenticating requests to advanced settings and the short URL service, any authenticated user could make requests to those services regardless of their own permissions. 6.5 0.99% 2017-06-16 2026-06-16
CVE-2016-10365 Kibana versions before 4.6.3 and 5.0.1 have an open redirect vulnerability that would enable an attacker to craft a link in the Kibana domain that redirects to an arbitrary website. 6.1 1.02% 2017-06-16 2026-06-16
CVE-2016-10366 Kibana versions after and including 4.3 and before 4.6.2 are vulnerable to a cross-site scripting (XSS) attack. 6.1 0.94% 2017-06-16 2026-06-16
CVE-2017-8449 X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. 5.9 0.83% 2017-06-16 2026-06-16
CVE-2017-8450 X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. 7.5 0.86% 2017-06-16 2026-06-16
CVE-2017-8451 With X-Pack installed, Kibana versions before 5.3.1 have an open redirect vulnerability on the login page that would enable an attacker to craft a link that redirects to an arbitrary website. 6.1 0.90% 2017-06-16 2026-06-16
CVE-2017-8452 Kibana versions prior to 5.2.1 configured for SSL client access, file descriptors will fail to be cleaned up after certain requests and will accumulate over time until the process crashes. 7.5 1.38% 2017-06-16 2026-06-16
CVE-2017-8443 In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user opens a crafted Kibana URL the result could be a redirect to an improperly initialized Kibana login screen. If the user enters credentials on this screen, the credentials will appear in the URL bar. The credentials could then be viewed by untrusted parties or logged into the Kibana access logs. 6.5 1.10% 2017-06-30 2026-06-16
CVE-2017-8442 Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. 6.5 0.92% 2017-07-07 2026-06-16
CVE-2017-8445 An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates. 5.5 0.16% 2017-08-18 2026-06-16
CVE-2017-8446 The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data. 5.3 0.69% 2017-08-18 2026-06-16
CVE-2017-11479 Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulnerability in Timelion that could allow an attacker to obtain sensitive information from or perform destructive actions on behalf of other Kibana users. 6.1 1.07% 2017-09-28 2026-06-16
CVE-2017-8444 The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data. 5.9 0.51% 2017-09-28 2026-06-16
«« 第一页 « 上一页 第 1 / 14 页 下一页 »
cvelogic Threat Intelligence