CVE-2019-7614
published 2019-07-30CVE-2019-7614: A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users…
PriorityP431medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
1.01%
58.7th percentile
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | < 6.8.2 | 6.8.2 |
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | >= 7.0.0 < 7.2.1 | 7.2.1 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
osv·2022-05-24
CVE-2019-7614 [MEDIUM] Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
GHSA
Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
ghsa·2022-05-24
CVE-2019-7614 [MEDIUM] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
Concurrent Execution using Shared Resource with Improper Synchronization in Elasticsearch
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Red Hat
elasticsearch: Race condition in response headers on systems with multiple submitting requests
vendor_redhat·2019-07-31·CVSS 5.9
CVE-2019-7614 [MEDIUM] CWE-362 elasticsearch: Race condition in response headers on systems with multiple submitting requests
elasticsearch: Race condition in response headers on systems with multiple submitting requests
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Mitigation: There is no mitigation for this issue, the flaw can only be resolved by applying updates.
Package: elasticsearch (Red Hat Decision Manager 7) - Fix deferred
Package: elasticsearch (Red Hat Fuse 7) - Not affected
Package: elasticsearch (Red Hat JBoss Fuse 6) - Out of support scope
Package: elasticsearch (Red Hat OpenShift Container Platform 3.10) - Fix deferred
Package: openshift3/ose-loggin
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests [fedora-all]
bugzilla·2019-08-30·CVSS 5.9
CVE-2019-7614 [MEDIUM] CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests [fedora-all]
CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: th
Bugzilla
CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests
bugzilla·2019-08-30·CVSS 5.9
CVE-2019-7614 [MEDIUM] CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests
CVE-2019-7614 elasticsearch: Race condition in response headers on systems with multiple submitting requests
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
References:
https://www.elastic.co/pt/community/security/
Discussion:
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1747241]
---
Mitigation:
There is no mitigation for this issue, the flaw can only be resolved by applying updates.
---
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Fuse 6
Please refer to ht
2019-07-30
Published