Lucene search

Veracode Vulnerability DatabaseVERACODE:44067

HistoryOct 31, 2023 - 6:49 a.m.

Sensitive Information Disclosure

2023-10-3106:49:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

elasticsearch

vulnerability

sensitive information

disclosure

audit log

deprecated uris

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.8%

JSON

org.elasticsearch: elasticsearch is vulnerable to Insertion Of Sensitive Information Into Log File. The vulnerability is caused by a failure to filter out sensitive information and credentials before logging to the audit log when requests to Elasticsearch use certain deprecated URIs for APIs. This can lead to sensitive information such as passwords and tokens getting printed in cleartext to Elasticsearch audit logs.

CPENameOperatorVersion
serverle7.17.12
serverle8.9.1
serverle7.17.12
serverle8.9.1

Name	Operator	Version
server	le	7.17.12
server	le	8.9.1
server	le	7.17.12
server	le	8.9.1

References

discuss.elastic.co/t/elasticsearch-8-9-2-and-7-17-13-security-update/342479

github.com/advisories/GHSA-99pc-69q9-jxf2

security.netapp.com/advisory/ntap-20231130-0006/

www.elastic.co/community/security

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for VERACODE:44067