CVE-2018-3831

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
elasticelasticsearch
5.6.0 ≤
𝑥
< 5.6.12
elasticelasticsearch
6.0.0 ≤
𝑥
< 6.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
elasticsearch
bionic
dne
cosmic
dne
disco
dne
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security
https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
https://www.elastic.co/community/security