Elasticsearch API key privilege escalation (ESA-2020-02)
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
All versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 are vulnerable to this issue.
Solutions and Mitigations
Users should upgrade to Elasticsearch version 7.6.2 or 6.8.8. Users who are unable to upgrade can mitigate this flaw by disabling API keys by setting
xpack.security.authc.api_key.enabled to false in the elasticsearch.yml file.
Additional details about this change can be found here:
Elasticsearch API key privileges
CVSSv3: 5.7 - AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
CVE ID: CVE-2020-7009