CVE-2020-7018

HIGH

Elastic Enterprise Search < 7.9.0 - Improper Privilege Management

Title source: rule

Description

Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the ï¿½developerï¿½ role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.

References (1)

[Vendor Advisory] https://discuss.elastic.co/t/enterprise-search-7-9-0-security-update/245457

Scores

CVSS v3 8.8

EPSS 0.0017

EPSS Percentile 37.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-269 CWE-266

Status published

Affected Products (1)

elastic/enterprise_search < 7.9.0

Timeline

Published Aug 18, 2020

Tracked Since Feb 18, 2026