CVE-2018-3831 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=5.6.0 <5.6.12 || >=6.0.0 <6.4.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00828 pctl0.73634

Details

Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

Metadata

Created: 2022-05-13T01:27:27Z
Modified: 2022-06-28T23:46:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9fv-qpm9-rj4g/GHSA-r9fv-qpm9-rj4g.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-r9fv-qpm9-rj4g
Finding: F038
Auto approve: 1