ES vulnerability CVE-2018-3831


#1

Is CVE-2018-3831(Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API) applicable to standard elasticsearch or just elasticsearch with xpack plugin?
Thanks!


(Tim Vernum) #2

The underlying issue with the _cluster/settings API affects standard elasticsearch, but the only secrets that are stored in dynamic cluster settings are part of x-pack, so there would be no information disclosure if x-pack isn't installed.

The issue could affect other plugins that store secrets in cluster settings.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.