CVE-2018-3831

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
elasticCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
elasticelasticsearch
5.6.0 ≤
𝑥
< 5.6.12
elasticelasticsearch
6.0.0 ≤
𝑥
< 6.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
elasticsearch
disco
dne
cosmic
dne
bionic
dne
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security