CVE-2020-7014

HIGH8.8EPSS 0.42%

Privilege Escalation Flaw in Elasticsearch

發布日:2021/3/18修改日:2025/4/3

描述

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

受影響套件(2)

Bitnami/elasticsearch>= 6.7.0, < 6.8.8, >= 7.0.0, < 7.6.2
Maven/org.elasticsearch:elasticsearch>= 6.7.0, < 6.8.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7014
WEBhttps://security.netapp.com/advisory/ntap-20200619-0003
WEBhttps://security.netapp.com/advisory/ntap-20200619-0003/
WEBhttps://www.elastic.co/community/security
WEBhttps://www.elastic.co/community/security/