CVE-2018-3828 — Log File Information Exposure in Cloud Enterprise

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 60.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Cloud Enterprise

Timeline

PublishedSep 19

Latest updateMay 13

Description

Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was discovered that certain exception conditions would result in encryption keys, passwords, and other security sensitive headers being leaked to the allocator logs. An attacker with access to the logging cluster may obtain leaked credentials and perform authenticated actions using these credentials.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶NVDelastic/elastic_cloud_enterprise< 1.1.4

▶CVEListV5elastic/elastic_cloud_enterprisebefore 1.1.4

🔴Vulnerability Details

GHSA

GHSA-8r79-689g-cpr3: Elastic Cloud Enterprise (ECE) versions prior to 1↗2022-05-13

▶

OSV

ansible vulnerabilities↗2019-07-24

▶

CVEList

CVE-2018-3828: Elastic Cloud Enterprise (ECE) versions prior to 1↗2018-09-19

▶