Lucene search

[email protected]CVE-2022-23715

HistoryAug 25, 2022 - 6:15 p.m.

CVE-2022-23715

2022-08-2518:15:09

CWE-532

[email protected]

web.nvd.nist.gov

625

cve-2022-23715

ece

information security

sensitive information disclosure

api vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.6%

JSON

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore

Affected configurations

NVD

Node

elasticelastic_cloud_enterpriseRange<3.4.0

CPENameOperatorVersion
elastic:elastic_cloud_enterpriseelastic elastic cloud enterpriselt3.4.0

CPE	Name	Operator	Version
elastic:elastic_cloud_enterprise	elastic elastic cloud enterprise	lt	3.4.0

CNA Affected

[
  {
    "product": "Elastic Cloud Enterprise",
    "vendor": "Elastic",
    "versions": [
      {
        "status": "affected",
        "version": "Versions through 3.4.0"
      }
    ]
  }
]

References

discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825

www.elastic.co/community/security

Social References

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.6%

JSON

Related for CVE-2022-23715

cvelist1 prion1 nvd1