Elastic Cloud on Kubernetes (ECK) secret token configuration issue
CVE-2023-31416

5.3MEDIUM

Key Information:

Vendor: Elastic
Status: Elastic Cloud On Kubernetes
Vendor: CVE Published:; 26 October 2023

Summary

Secret token configuration is never applied when using ECK <2.8 with APM Server >=8.0. This could lead to anonymous requests to an APM Server being accepted and the data ingested into this APM deployment.

Affected Version(s)

Elastic Cloud on Kubernetes <2.8

References

https://discuss.elastic.co/t/elastic-cloud-on-kubernetes-...

https://www.elastic.co/community/security

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 26, 2023
Vulnerability Reserved
Apr 27, 2023