Cloud Enterprise
Vulnerabilities
4
Known exploited
0
Max CVSS
9.8
Top EPSS
0.00603
Severity breakdown
Critical
1
High
2
Medium
1
Low
0
Affected version ranges
2.5.0–3.8.23.0.0–3.7.23.8.0–3.8.2
Also matched as (raw): cloud_enterprise
Top vulnerabilities
CVE-2024-37282It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
CVE-2025-37736Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is:
post:/platform/configuration/security/service-accounts
delete:/platform/configuration/security/service-accounts/{user_id}
patch:/platform/configuration/security/service-accounts/{user_id}
post:/platform/configuration/security/service-accounts/{user_id}/keys
delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}
patch:/user
post:/users
post:/users/auth/keys
delete:/users/auth/keys
delete:/users/auth/keys/_all
delete:/users/auth/keys/{api_key_id}
delete:/users/{user_id}/auth/keys
delete:/users/{user_id}/auth/keys/{api_key_id}
delete:/users/{user_name}
patch:/users/{user_name}
CVE-2025-37729Improper neutralization of special elements used in a template engine in Elastic Cloud Enterprise (ECE) can lead to a malicious actor with Admin access exfiltrating sensitive information and issuing commands via a specially crafted string where Jinjava variables are evaluated.
CVE-2017-8444The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0.2 do not properly encrypt traffic to ZooKeeper. If an attacker is able to man in the middle (MITM) the traffic between the client-forwarder and ZooKeeper they could potentially obtain sensitive data.