Vulnerability Description
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elastic | Elasticsearch | >= 5.6.0, < 5.6.12 |
Related Weaknesses (CWE)
References
- https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/1490MitigationVendor Advisory
- https://www.elastic.co/community/securityVendor Advisory
- https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/1490MitigationVendor Advisory
- https://www.elastic.co/community/securityVendor Advisory
FAQ
What is CVE-2018-3831?
CVE-2018-3831 is a vulnerability with a CVSS score of 8.8 (HIGH). Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when que...
How severe is CVE-2018-3831?
CVE-2018-3831 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-3831?
Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elasticsearch.