Sensitive Data Exposure in Elasticsearch X-Pack Security by Elastic
CVE-2017-8442

6.5MEDIUM

Key Information:

Vendor
Elastic
Vendor
CVE Published:
7 July 2017

Summary

Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can leak sensitive configuration information through the _nodes API. This vulnerability makes it possible for an authenticated user to access sensitive details, such as SSL key paths and passphrases used in authentication realms. Consequently, this exposure could compromise the integrity and confidentiality of Elasticsearch deployments, necessitating prompt attention to secure sensitive data.

Affected Version(s)

Elasticsearch X-Pack Security 5.0.0 to 5.4.3

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.