In the latest release, at this moment 8.7.1, there are vulnerabilities in some jar files included. From Trivy scanner:
CVE-2020-15522
CVE-2020-8908
CVE-2021-29425
CVE-2021-40690
CVE-2022-1471
CVE-2022-45146
CVE-2023-1370
Is there any upgrade policy for upgrading those jar files? Is there any assessment that concludes those are not critical for Elasticsearch? Thanks.
The process for reporting potential security vulnerabilities is described on this page. Unfortunately we are unable to discuss potential security issues in public.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.