CVE-2020-7010 – github.com/elastic/cloud-on-k8s

Package

Manager: go
Name: github.com/elastic/cloud-on-k8s
Vulnerable Version: >=0 <1.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00352 pctl0.5692

Details

Cryptographic Issues in ECK Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Metadata

Created: 2022-02-15T01:57:18Z
Modified: 2024-02-12T15:33:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vfp4-xx6m-7vf6/GHSA-vfp4-xx6m-7vf6.json
CWE IDs: ["CWE-335"]
Alternative ID: GHSA-vfp4-xx6m-7vf6
Finding: F184
Auto approve: 1