CRITICALβœ“ PATCHπŸ‡΅πŸ‡± Wersja polska

CVE-2025-37729

CVSS 9.1v3.1pub. 2025-10-13upd. 2025-12-11

Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Elastic Cloud Enterprise

    APP
    Elastic
    2.5.0 – 3.8.2 (bez)4.0.0 – 4.0.2 (bez)
🟒
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2025-37736HIGH8.8ten sam produkt

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonl...

CVE-2024-37282HIGH8.1ten sam produkt

It was identified that under certain specific preconditions, an API key that was originally created with a spe...

CVE-2023-31418HIGH7.5ten sam produkt

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...

CVE-2018-3828HIGH7.5ten sam produkt

Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was d...

CVE-2022-23716MEDIUM5.3ten sam produkt

A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key us...

CVE-2025-37729 β€” Elastic β€” Elastic Cloud Enterprise β€” CRITICAL β€” CVSS 9.1 | CVEbaza.pl