All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NElastic Elasticsearch
APPElastic7.13.3
Related vulnerabilities
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers...
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacke...