CVE-2022-23715Log File Information Exposure in Cloud Enterprise

CWE-532Log File Information Exposure3 documents3 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 48.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Cloud Enterprise
Timeline
PublishedAug 25
Latest updateAug 26

Description

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5elastic/elastic_cloud_enterpriseVersions through 3.4.0

🔴Vulnerability Details

2
GHSA
GHSA-9fgp-xgx7-gpx6: A flaw was discovered in ECE before 32022-08-26
CVEList
CVE-2022-23715: A flaw was discovered in ECE before 32022-08-25
CVE-2022-23715 — Log File Information Exposure | cvebase