CVE-2018-3825Use of Hard-coded Cryptographic Key in Cloud Enterprise

CWE-321Use of Hard-coded Cryptographic KeyCWE-1188Initialization of a Resource with an Insecure Default3 documents3 sources
Severity
5.9MEDIUMNVD
EPSS
0.1%
top 68.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Cloud Enterprise
Timeline
PublishedSep 19
Latest updateMay 13

Description

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5elastic/elastic_cloud_enterprisebefore 1.1.4

🔴Vulnerability Details

2
GHSA
GHSA-4xqm-vfvr-257f: In Elastic Cloud Enterprise (ECE) versions prior to 12022-05-13
CVEList
CVE-2018-3825: In Elastic Cloud Enterprise (ECE) versions prior to 12018-09-19
CVE-2018-3825 — Use of Hard-coded Cryptographic Key | cvebase