CVE-2018-3831 - High Severity Vulnerability
Vulnerable Libraries - elasticsearch-6.4.0.jar, elasticsearch-5.5.0.jar, elasticsearch-6.0.0.jar, elasticsearch-6.3.2.jar, elasticsearch-5.0.0.jar, elasticsearch-5.3.0.jar
elasticsearch-6.4.0.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-6.4/rest-6.4.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.0/e14f124c6b7cfc93aa5e5c7f616df4f06c0f7c99/elasticsearch-6.4.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.4.0.jar (Vulnerable Library)
elasticsearch-5.5.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.5.0/53060a2e2373158645f0c42c51996af4914eedd7/elasticsearch-5.5.0.jar
Dependency Hierarchy:
- spring-data-elasticsearch-3.0.0.RELEASE.jar (Root Library)
- ❌ elasticsearch-5.5.0.jar (Vulnerable Library)
elasticsearch-6.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.0.0/5b88a93549c5082c3c500feab846d0f71da50a58/elasticsearch-6.0.0.jar
Dependency Hierarchy:
- transport-6.0.0.jar (Root Library)
- ❌ elasticsearch-6.0.0.jar (Vulnerable Library)
elasticsearch-6.3.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.3.2/1b4b423e654d5ec6eef747ee29baf2bf1def1c7b/elasticsearch-6.3.2.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.3.2.jar (Vulnerable Library)
elasticsearch-5.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar
Dependency Hierarchy:
- ❌ elasticsearch-5.0.0.jar (Vulnerable Library)
elasticsearch-5.3.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.3.0/f42e60773fa004188020327fcfbd5b946f9834c6/elasticsearch-5.3.0.jar
Dependency Hierarchy:
- transport-5.3.0.jar (Root Library)
- ❌ elasticsearch-5.3.0.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Publish Date: 2018-09-19
URL: CVE-2018-3831
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
Release Date: 2018-09-19
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.12
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 3.1.0.RELEASE
Fix Resolution (org.elasticsearch:elasticsearch): 6.4.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.4.1
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.12
Direct dependency fix Resolution (org.elasticsearch.client:transport): 5.6.12
⛑️ Automatic Remediation is available for this issue
CVE-2018-3831 - High Severity Vulnerability
elasticsearch-6.4.0.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-6.4/rest-6.4.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.0/e14f124c6b7cfc93aa5e5c7f616df4f06c0f7c99/elasticsearch-6.4.0.jar
Dependency Hierarchy:
elasticsearch-5.5.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.5.0/53060a2e2373158645f0c42c51996af4914eedd7/elasticsearch-5.5.0.jar
Dependency Hierarchy:
elasticsearch-6.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-6/transport-6.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.0.0/5b88a93549c5082c3c500feab846d0f71da50a58/elasticsearch-6.0.0.jar
Dependency Hierarchy:
elasticsearch-6.3.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.3.2/1b4b423e654d5ec6eef747ee29baf2bf1def1c7b/elasticsearch-6.3.2.jar
Dependency Hierarchy:
elasticsearch-5.0.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-5/rest-5.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.0.0/3925b82e256d59b36d96f0b3ffaae4e73706cbdb/elasticsearch-5.0.0.jar
Dependency Hierarchy:
elasticsearch-5.3.0.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-5.3/transport-5.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.3.0/f42e60773fa004188020327fcfbd5b946f9834c6/elasticsearch-5.3.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
Publish Date: 2018-09-19
URL: CVE-2018-3831
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
Release Date: 2018-09-19
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.12
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 3.1.0.RELEASE
Fix Resolution (org.elasticsearch:elasticsearch): 6.4.1
Direct dependency fix Resolution (org.elasticsearch.client:transport): 6.4.1
Fix Resolution (org.elasticsearch:elasticsearch): 5.6.12
Direct dependency fix Resolution (org.elasticsearch.client:transport): 5.6.12
⛑️ Automatic Remediation is available for this issue