Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-7014

Опубликовано: 03 июн. 2020
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

Отчет

OpenShift Container Platform 4.x and 3.11 use Elasticsearch 5.6 which does not have the API Keys feature.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Decision Manager 7elasticsearchNot affected
Red Hat Fuse 7elasticsearchNot affected
Red Hat JBoss Fuse 6elasticsearchNot affected
Red Hat OpenShift Container Platform 3.11openshift3/ose-logging-elasticsearch5Not affected
Red Hat OpenShift Container Platform 4openshift4/ose-logging-elasticsearch5Not affected
Red Hat Process Automation 7elasticsearchNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-266
https://bugzilla.redhat.com/show_bug.cgi?id=1849019elasticsearch: Incomplete fix for CVE-2020-7009 could result in generating API key with elevated privileges

EPSS

Процентиль: 64%
0.00465
Низкий

8.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2020-7014

CVSS3: 8.8
ubuntu
больше 5 лет назад

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

nvd логотип

CVE-2020-7014

CVSS3: 8.8
nvd
больше 5 лет назад

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

msrc логотип

CVE-2020-7014

CVSS3: 8.8
msrc
около 4 лет назад

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

debian логотип

CVE-2020-7014

CVSS3: 8.8
debian
больше 5 лет назад

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch ve ...

github логотип

GHSA-hqqv-9x3v-mp7w

CVSS3: 8.8
github
почти 5 лет назад

Privilege Escalation Flaw in Elasticsearch

EPSS

Процентиль: 64%
0.00465
Низкий

8.8 High

CVSS3