CVE-2019-7619
published 2019-10-30CVE-2019-7619: Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
2.43%
82.2th percentile
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | 6.7.0 – 6.8.3 | — |
| elastic | elasticsearch | 7.0.0 – 7.3.2 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
ghsa·2022-05-24
CVE-2019-7619 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
osv·2022-05-24
CVE-2019-7619 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Red Hat
elasticsearch: Username disclosure in API Key service
vendor_redhat·2019-10-23·CVSS 5.3
CVE-2019-7619 [MEDIUM] CWE-200 elasticsearch: Username disclosure in API Key service
elasticsearch: Username disclosure in API Key service
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Package: elasticsearch (Red Hat Decision Manager 7) - Not affected
Package: elasticsearch (Red Hat Fuse 7) - Not affected
Package: elasticsearch (Red Hat JBoss Fuse 6) - Out of support scope
Package: elasticsearch (Red Hat OpenShift Container Platform 3.10) - Not affected
Package: openshift3/ose-logging-elasticsearch5 (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: elasticsearch (Red Hat OpenShift Container Platform 3.2) - Not affected
Package: elasticsearc
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-7619 elasticsearch: Username disclosure in API Key service [fedora-all]
bugzilla·2019-10-23·CVSS 5.3
CVE-2019-7619 [MEDIUM] CVE-2019-7619 elasticsearch: Username disclosure in API Key service [fedora-all]
CVE-2019-7619 elasticsearch: Username disclosure in API Key service [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
Bugzilla
CVE-2019-7619 elasticsearch: Username disclosure in API Key service
bugzilla·2019-10-23·CVSS 5.3
CVE-2019-7619 [MEDIUM] CVE-2019-7619 elasticsearch: Username disclosure in API Key service
CVE-2019-7619 elasticsearch: Username disclosure in API Key service
A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
References:
https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
Discussion:
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1764752]
---
OpenShift Container Platform does not ship the X-Pack add-on for ElasticSearch.
---
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-7619
https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831https://www.elastic.co/community/securityhttps://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831https://www.elastic.co/community/security
2019-10-30
Published