Password Hash Exposure in Search Guard by Flaw in Internal User Database
CVE-2019-13421

4.9MEDIUM

Key Information:

Vendor

Floragunn

Status
Search Guard
Vendor
CVE Published:
23 August 2019

What is CVE-2019-13421?

An issue in Search Guard versions prior to 23.1 allows administrative users to access bcrypt password hashes of other users stored in the internal user database. This vulnerability poses a risk of unauthorized access to user credentials, potentially leading to further exploitation of affected systems. It is crucial for users of Search Guard to update to the latest version to mitigate this security risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Search Guard < 23.1

References

https://search-guard.com/cve-advisory/
x_refsource_MISC
https://docs.search-guard.com/6.x-23/changelog-searchguar...
x_refsource_CONFIRM
https://www.syss.de/fileadmin/dokumente/Publikationen/Adv...
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This security vulnerability was found by Torsten Lutz and Oliver Streicher of SySS GmbH. E-Mail: torsten.lutz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Torsten_Lutz.asc Key Fingerprint: DAB2 86A6 C099 1350 9FCB FB9B 94E8 DC24 BAEC ACC8 E-Mail: oliver.streicher (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Streicher.asc Key Fingerprint: 1973 E30F 7966 F45E CCAB 1BF1 3F08 A35E DCB8 35D6
JSON
.