Elastic Code local file disclosure flaw (ESA-2019-12)
A local file disclosure flaw was found in Elastic Code. If a malicious code repository is imported into Code it is possible to read arbitrary files from the local filesystem of the Kibana instance running Code with the permission of the Kibana system user.
The Code application in Kibana is a beta feature and disabled by default at this time. If you do not have ‘xpack.code.ui.enabled: true’ in your kibana.yml configuration file you are not affected by this issue.
Affected Versions
Elastic Code versions 7.3.0, 7.3.1, 7.3.2
Solutions and Mitigations:
Users should upgrade to Elastic Code 7.4.0
Users unable to upgrade that have enabled the Code application in Kibana can disable it by setting ‘xpack.code.ui.enabled: false’ in kibana.yml.
CVSSv3: 4.2 - AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2019-7618
Elasticsearch username disclosure flaw (ESA-2019-13)
A username disclosure flaw was found in Elasticsearch’s API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.
Affected Versions
The following Elasticsearch versions are affected by this flaw:
7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2
6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3
Solutions and Mitigations:
Users should upgrade to Elasticsearch version 7.4.0 or 6.8.4. If users cannot upgrade, the API key service can be disabled by setting ‘xpack.security.authc.api_key.enabled’ to false in the Elasticsearch configuration file.
CVSSv3: 3.7 - AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2019-7619