CVE-2018-3831

EUVD-2022-5136
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
elasticelasticsearch
5.6.0 ≤
𝑥
< 5.6.12
elasticelasticsearch
6.0.0 ≤
𝑥
< 6.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
elasticsearch
bionic
dne
cosmic
dne
disco
dne
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security