Описание
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Отчет
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact Moderate, and is not currently planned to be addressed in future updates.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | elasticsearch | Affected | ||
| Red Hat JBoss Fuse 6 | elasticsearch | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.10 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.2 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.3 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.4 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.5 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.6 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | elasticsearch | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6. ...
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
EPSS
5.3 Medium
CVSS3