CVE-2019-7619

Published: Oct 30, 2019Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

Affected (2)

Products: Elastic: Elasticsearch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 6.7.0 to 6.8.3
Elastic Elasticsearch	From 7.0.0 to 7.3.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831

Source: security@elastic.co

Vendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.