CVE-2018-3831

Published: Sep 19, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

Affected (2)

Products: Elastic: Elasticsearch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 5.6.0 to 5.6.12
Elastic Elasticsearch	From 6.0.0 to 6.4.1

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Source: security@elastic.co

MitigationVendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.