CVEs present in the latest version

beltran-rubo · May 9, 2023, 2:20pm

In the latest release, at this moment 8.7.1, there are vulnerabilities in some jar files included. From Trivy scanner:

CVE-2020-15522
CVE-2020-8908
CVE-2021-29425
CVE-2021-40690
CVE-2022-1471
CVE-2022-45146
CVE-2023-1370

Is there any upgrade policy for upgrading those jar files? Is there any assessment that concludes those are not critical for Elasticsearch? Thanks.

DavidTurner · May 9, 2023, 3:03pm

The process for reporting potential security vulnerabilities is described on this page. Unfortunately we are unable to discuss potential security issues in public.

system · June 6, 2023, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Some vulnerabilities in Elasticsearch v7.10.0 Elasticsearch	3	516	December 10, 2021
Vulnerability CVE-2020-13956 reported on Elasticsearch 7.17.4 Elasticsearch	5	342	July 18, 2022
High Vulnerabilities found in Elasticsearch docker image v7.17.9 Elasticsearch docker	3	735	March 20, 2023
Discuss: Security Vulnerabilities: ESA-2023-14 - CVE-2023-31419 Elasticsearch	3	683	January 4, 2024
Oracle JDK vulnerability updates Elasticsearch	1	95	August 13, 2024

CVEs present in the latest version

Related topics