CVE-2018-3825
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.
En Elastic Cloud Enterprise (ECE) en versiones anteriores a la 1.1.4, una clave de cifrado maestra por defecto se utiliza en el proceso de concesión de acceso de Zookeeper a los clústers de Elasticsearch. A no ser que esté explícitamente sobrescrito, esta clave maestra es predecible en todos los despliegues ECE. Si un atacante puede conectar directamente con ZooKeeper, podría acceder a la información de configuración de otros inquilinos si el ID del clúster es conocido.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-01-02 CVE Reserved
- 2018-09-19 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-321: Use of Hard-coded Cryptographic Key
- CWE-1188: Initialization of a Resource with an Insecure Default
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778 | 2019-10-09 | |
https://www.elastic.co/community/security | 2019-10-09 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Elastic Search vendor "Elastic" | Elastic Cloud Enterprise Search vendor "Elastic" for product "Elastic Cloud Enterprise" | < 1.1.4 Search vendor "Elastic" for product "Elastic Cloud Enterprise" and version " < 1.1.4" | - |
Affected
|