PT-2019-18671 · Elastic · Elasticsearch

Published

2019-10-30

Updated

2022-05-24

CVE-2019-7619

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Elasticsearch versions 6.7.0 through 6.8.3 Elasticsearch versions 7.0.0 through 7.3.2

Description A username disclosure flaw was found in the API Key service of Elasticsearch. An unauthenticated attacker could send a specially crafted request to determine if a username exists in the Elasticsearch native realm.

Recommendations For Elasticsearch versions 6.7.0 through 6.8.3, update to a version outside of this range to resolve the issue. For Elasticsearch versions 7.0.0 through 7.3.2, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the API Key service to minimize the risk of exploitation.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2019-7619

GHSA-HXP8-R9G3-GRFR

Affected Products

Elasticsearch

PT-2019-18671 · Elastic · Elasticsearch

CVE-2019-7619

Weakness Enumeration

Related Identifiers

Affected Products

References · 7