CVE-2018-3826Sensitive Information Exposure in Elasticsearch

CWE-200Sensitive Information ExposureCWE-311Missing Encryption of Sensitive Data3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.4%
top 40.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Elasticsearch
Timeline
PublishedSep 19
Latest updateMay 13

Description

In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDelastic/elasticsearch6.0.06.2.4+1
CVEListV5elastic/elasticsearch6.0.0-beta1 to 6.2.4

🔴Vulnerability Details

2
GHSA
GHSA-qq5c-fj9j-h9xv: In Elasticsearch versions 62022-05-13
CVEList
CVE-2018-3826: In Elasticsearch versions 62018-09-19
CVE-2018-3826 — Sensitive Information Exposure | cvebase