CVE-2019-13421

MEDIUM

Search-guard Search Guard < 23.1 - Information Disclosure

Title source: rule

Description

Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.

References (3)

[Release Notes] https://docs.search-guard.com/6.x-23/changelog-searchguard-6-x-23_1

[Vendor Advisory] https://search-guard.com/cve-advisory/

[Exploit, Third Party Advisory] https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SySS-2018-025.txt

Scores

CVSS v3 4.9

EPSS 0.0039

EPSS Percentile 59.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522 CWE-200

Status published

Affected Products (1)

search-guard/search_guard < 23.1

Timeline

Published Aug 23, 2019

Tracked Since Feb 18, 2026