CVE-2019-7619: Infoleak
First published: Wed Oct 30 2019(Updated: )
Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | >=6.7.0<=6.8.3 | |
| Elastic Elasticsearch | >=7.0.0<=7.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-7619?
CVE-2019-7619 is a vulnerability in Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 that allows an unauthenticated attacker to determine if a username exists in the Elasticsearch native realm.
What is the severity of CVE-2019-7619?
The severity of CVE-2019-7619 is medium with a CVSS score of 5.3 out of 10.
How does CVE-2019-7619 affect Elasticsearch?
CVE-2019-7619 affects Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 by disclosing usernames in the Elasticsearch native realm.
How can I fix CVE-2019-7619?
To fix CVE-2019-7619, update to the latest version of Elasticsearch. For version 7, update to 7.4.0 or newer. For version 6, update to 6.8.4 or newer.
Where can I find more information about CVE-2019-7619?
More information about CVE-2019-7619 can be found at these references: [Link 1](https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908), [Link 2](https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831), [Link 3](https://www.elastic.co/community/security).
- collector/nvd-index
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/6.7.0
- version/elastic elasticsearch/6.8.3
- version/elastic elasticsearch/7.0.0
- version/elastic elasticsearch/7.3.2