First published: Thu Aug 25 2022(Updated: )
A flaw was discovered in ECE before 3.4.0 that might lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs such as the audit log or deployment logs in the Logging and Monitoring cluster. The affected APIs are PATCH /api/v1/user and PATCH /deployments/{deployment_id}/elasticsearch/{ref_id}/keystore
Credit: bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Elastic Cloud Enterprise | <3.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw is CVE-2022-23715.
The severity of CVE-2022-23715 is medium with a CVSS score of 6.5.
The affected software for CVE-2022-23715 is Elastic Cloud Enterprise before 3.4.0.
CVE-2022-23715 could lead to the disclosure of sensitive information such as user passwords and Elasticsearch keystore settings values in logs.
To mitigate CVE-2022-23715, it is recommended to update Elastic Cloud Enterprise to version 3.4.0 or newer.