Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOWZ2LXFwbTktcmo0Z84AAQl7
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Permalink: https://github.com/advisories/GHSA-r9fv-qpm9-rj4gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOWZ2LXFwbTktcmo0Z84AAQl7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00078
EPSS Percentile: 0.35523
Identifiers: GHSA-r9fv-qpm9-rj4g, CVE-2018-3831
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3831
- https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
- https://www.elastic.co/community/security
- https://github.com/advisories/GHSA-r9fv-qpm9-rj4g
Affected Packages
maven:org.elasticsearch:elasticsearch
Dependent packages: 1,411Dependent repositories: 18,551
Downloads:
Affected Version Ranges: >= 6.0.0, < 6.4.1, >= 5.6.0, < 5.6.12
Fixed in: 6.4.1, 5.6.12
All affected versions: 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 6.0.0, 6.0.1, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.3.0, 6.3.1, 6.3.2, 6.4.0
All unaffected versions: 0.6.0, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.16.4, 0.16.5, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.17.5, 0.17.6, 0.17.7, 0.17.8, 0.17.9, 0.17.10, 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.18.6, 0.18.7, 0.19.0, 0.19.1, 0.19.2, 0.19.3, 0.19.4, 0.19.5, 0.19.6, 0.19.7, 0.19.8, 0.19.9, 0.19.10, 0.19.11, 0.19.12, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.20.4, 0.20.5, 0.20.6, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.90.4, 0.90.5, 0.90.6, 0.90.7, 0.90.8, 0.90.9, 0.90.10, 0.90.11, 0.90.12, 0.90.13, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 5.0.0, 5.0.1, 5.0.2, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.12, 5.6.13, 5.6.14, 5.6.15, 5.6.16, 6.4.1, 6.4.2, 6.4.3, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.8.5, 6.8.6, 6.8.7, 6.8.8, 6.8.9, 6.8.10, 6.8.11, 6.8.12, 6.8.13, 6.8.14, 6.8.15, 6.8.16, 6.8.17, 6.8.18, 6.8.19, 6.8.20, 6.8.21, 6.8.22, 6.8.23, 7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.4.1, 7.4.2, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.10.0, 7.10.1, 7.10.2, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.13.0, 7.13.1, 7.13.2, 7.13.3, 7.13.4, 7.14.0, 7.14.1, 7.14.2, 7.15.0, 7.15.1, 7.15.2, 7.16.0, 7.16.1, 7.16.2, 7.16.3, 7.17.0, 7.17.1, 7.17.2, 7.17.3, 7.17.4, 7.17.5, 7.17.6, 7.17.7, 7.17.8, 7.17.9, 7.17.10, 7.17.11, 7.17.12, 7.17.13, 7.17.14, 7.17.15, 7.17.16, 7.17.17, 7.17.18, 7.17.19, 7.17.20, 7.17.21, 7.17.22, 7.17.23, 7.17.24, 7.17.25, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 8.3.3, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.6.0, 8.6.1, 8.6.2, 8.7.0, 8.7.1, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.9.1, 8.9.2, 8.10.0, 8.10.1, 8.10.2, 8.10.3, 8.10.4, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.11.4, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.13.3, 8.13.4, 8.14.0, 8.14.1, 8.14.2, 8.14.3, 8.15.0, 8.15.1, 8.15.2, 8.15.3, 8.15.4, 8.15.5, 8.16.0, 8.16.1