Candidate: CVE-2018-3831
PublicDate: 2018-09-19 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3831
 https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035
 https://www.elastic.co/community/security
Description:
 Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12
 have an information disclosure issue when secrets are configured via the
 API. The Elasticsearch _cluster/settings API, when queried, could leak
 sensitive configuration information such as passwords, tokens, or
 usernames. This could allow an authenticated Elasticsearch user to
 improperly view these details.
Ubuntu-Description:
Notes:
 msalvatore> "This issue only afects our security plugin, which was not part of
              a default distribution in 1.7"
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_elasticsearch:
upstream_elasticsearch: released (6.4.1, 5.6.12)
precise/esm_elasticsearch: DNE
trusty_elasticsearch: DNE
trusty/esm_elasticsearch: DNE
xenial_elasticsearch: not-affected (code not present)
bionic_elasticsearch: DNE
cosmic_elasticsearch: DNE
disco_elasticsearch: DNE
devel_elasticsearch: DNE