Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-3831 from the MITRE CVE dictionary dictionary and NIST NVD.
Subscription Asset Manager is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having a security impact Moderate, and is not currently planned to be addressed in future updates.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 5.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | Low |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | elasticsearch | Will not fix |
Red Hat OpenStack Platform Operational Tools 9 | elasticsearch | Affected |
Red Hat OpenShift Enterprise 3.2 | elasticsearch | Not affected |
Red Hat OpenShift Enterprise 3.1 | elasticsearch | Not affected |
Red Hat OpenShift Enterprise 3.0 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.9 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.7 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.6 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.5 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.4 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.3 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.11 | elasticsearch | Not affected |
Red Hat OpenShift Container Platform 3.10 | elasticsearch | Not affected |
Red Hat JBoss Fuse 7 | elasticsearch | Under investigation |
Red Hat JBoss Fuse 6 | elasticsearch | Under investigation |
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 | elasticsearch | Affected |