Vulnerability CVE-2020-7018


Published: 2020-08-18

Description:
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ????developer???? role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.

Type:

CWE-269

(Improper Privilege Management)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Elastic -> Enterprise search 

 References:
https://discuss.elastic.co/t/enterprise-search-7-9-0-security-update/245457

Copyright 2022, cxsecurity.com

 

Back to Top