Impact: Low Public Date: 2019-08-23 CWE: CWE-522 Bugzilla: 1747476: CVE-2019-13421 search-guard: Administrative user is able to retrieve bcrypt password hashes of other users Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-13421 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 4.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat OpenShift Container Platform 4.1 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.9 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.11 | search-guard | Under investigation |
| Red Hat OpenShift Container Platform 3.10 | search-guard | Under investigation |
Vulmon