Lucene search

[email protected]NVD:CVE-2022-23715

HistoryAug 25, 2022 - 6:15 p.m.

CVE-2022-23715

2022-08-2518:15:09

CWE-532

[email protected]

web.nvd.nist.gov

flaw

sensitive information

disclosure

logs

ece

3.4.0

apis

user passwords

elasticsearch

keystore settings

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore

Affected configurations

NVD

Node

elasticelastic_cloud_enterpriseRange<3.4.0

References

discuss.elastic.co/t/elastic-cloud-enterprise-3-4-0-security-update/312825

www.elastic.co/community/security

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Related for NVD:CVE-2022-23715

cve1 cvelist1 prion1