CVE-2018-3826: Infoleak
First published: Wed Sep 19 2018(Updated: )
In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the _snapshot API. When the access_key and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | >=6.0.0<=6.2.4 | |
| Elastic Elasticsearch | =6.0.0-beta1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this disclosure flaw?
The vulnerability ID for this disclosure flaw is CVE-2018-3826.
What is the severity level of CVE-2018-3826?
CVE-2018-3826 has a severity level of medium.
Which versions of Elasticsearch are affected by CVE-2018-3826?
Elasticsearch versions 6.0.0-beta1 to 6.2.4 are affected by CVE-2018-3826.
What is the CWE identifier for this vulnerability?
The CWE identifier for CVE-2018-3826 is CWE-311 and CWE-200.
How can the disclosure flaw in CVE-2018-3826 be exploited?
The disclosure flaw in CVE-2018-3826 can be exploited by users who are able to query the _snapshot API in Elasticsearch and access the exposed access_key and security_key parameters.
- collector/nvd-index
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/6.0.0
- version/elastic elasticsearch/6.2.4
- version/elastic elasticsearch/6.0.0-beta1