CVE-2018-3831: Exposure of Sensitive Information to an Unauthorized Actor

May 13, 2022 (updated August 15, 2022)

Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.

References

discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
github.com/advisories/GHSA-r9fv-qpm9-rj4g
nvd.nist.gov/vuln/detail/CVE-2018-3831
www.elastic.co/community/security

Detect and mitigate CVE-2018-3831 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →