CVE-2020-7009

HIGH

Elasticsearch 6.7.0-6.8.7 and 7.0.0-7.6.1 - Privilege Escalation via API Key Generation

Title source: llm
STIX 2.1

Description

Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_misc
https://www.elastic.co/community/security/
Mitigation, Release Notes, Vendor Advisory x_refsource_misc
https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200403-0004/

Scores

CVSS v3 8.8
EPSS 0.0043
EPSS Percentile 62.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269 CWE-266
Status published
Products (2)
elastic/elasticsearch 6.7.0 - 6.8.8
org.elasticsearch/elasticsearch 6.7.0 - 6.8.8Maven
Published Mar 31, 2020
Tracked Since Feb 18, 2026