CVE-2019-7619 - OpenCVE

Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Elastic	Elasticsearch

Configuration 1 [-]

OR	cpe:2.3:a:elastic:elasticsearch::::::::
	cpe:2.3:a:elastic:elasticsearch::::::::

References

Link	Resource
https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908	Vendor Advisory
https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831	Vendor Advisory
https://www.elastic.co/community/security	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: elastic

Published: 2019-10-30T13:37:42

Updated: 2019-10-30T13:37:42

Reserved: 2019-02-07T00:00:00

Link: CVE-2019-7619

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-30T14:15:11.380

Modified: 2021-11-03T19:35:03.303

Link: CVE-2019-7619

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Elasticsearch", "vendor": "Elastic", "versions": [{"status": "affected", "version": "7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Information Exposure", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-10-30T13:37:42", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.elastic.co/community/security"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2019-7619", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elasticsearch", "version": {"version_data": [{"version_value": "7.0.0, 7.0.1, 7.1.0, 7.1.1, 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.3.2, 6.7.0, 6.7.1, 6.7.2, 6.8.0, 6.8.1, 6.8.2, 6.8.3"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Information Exposure"}]}]}, "references": {"reference_data": [{"name": "https://www.elastic.co/community/security", "refsource": "CONFIRM", "url": "https://www.elastic.co/community/security"}, {"name": "https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908", "refsource": "CONFIRM", "url": "https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908"}, {"name": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831", "refsource": "CONFIRM", "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"}]}}}}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2019-7619", "datePublished": "2019-10-30T13:37:42", "dateReserved": "2019-02-07T00:00:00", "dateUpdated": "2019-10-30T13:37:42", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CB56E9B-63ED-4DA2-B654-7A1BFDEFA918", "versionEndIncluding": "6.8.3", "versionStartIncluding": "6.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "039EBA71-BE88-4904-8C5D-A825F41F27E4", "versionEndIncluding": "7.3.2", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username disclosure flaw was found in the API Key service. An unauthenticated attacker could send a specially crafted request and determine if a username exists in the Elasticsearch native realm."}, {"lang": "es", "value": "Elasticsearch versiones 7.0.0 hasta 7.3.2 y versiones 6.7.0 hasta 6.8.3, contienen un fallo de divulgaci\u00f3n de nombre de usuario que se encontr\u00f3 en el servicio Key de la API. Un atacante no autenticado podr\u00eda enviar una petici\u00f3n especialmente dise\u00f1ada y determinar si un nombre de usuario existe en el reino nativo de Elasticsearch."}], "id": "CVE-2019-7619", "lastModified": "2021-11-03T19:35:03.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-30T14:15:11.380", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "bressers@elastic.co", "type": "Secondary"}]}