Enterprise Search
CVE-2020-7018
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.
AnalysisAI
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-266. Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator. Affected products include: Elastic Enterprise Search. Version information: before 7.9.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Enterprise Search
View allElastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing autho
Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to
An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Se
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today