CVE-2019-13421

2019-08-23 16:15:11 2019-10-10 01:46:28

Search Guard versions before 23.1 had an issue that an administrative user is able to retrieve bcrypt password hashes of other users configured in the internal user database.

Vector

NETWORK

Complexity

LOW

Authentication

SINGLE_INSTANCE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Search-guard Search guard 22.3 (not an official CPE) Search-guard Search guard 21.0 (not an official CPE) Search-guard Search guard 6.5.3-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.5.1-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.4.3-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.4.2-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.4.1-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.4.0-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.4.0-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.2-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.2-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.2-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.1-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.1-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.1-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.0-16 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.3.0-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.4-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.4-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.3-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.3-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.2-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.2-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.1-15 ~~~kibana~~ (not an official CPE) Search-guard Search guard 6.2.1-14 ~~~kibana~~ (not an official CPE) Search-guard Search guard - (not an official CPE) Search-guard Search guard 23.0 (not an official CPE)

Search-guard - Search guard

Advisory	Patch	Confirmed	Link
			https://search-guard.com/cve-advisory/
			https://www.syss.de/fileadmin/dokumente/Publikationen/Ad...
			https://docs.search-guard.com/6.x-23/changelog-searchgua...

Information Exposure (ID 200)

Related CAPEC 7 Subverting Environment Variable Values (CAPEC-ID 13) Footprinting (CAPEC-ID 169) Exploiting Trust in Client (aka Make the Client Invisible) (CAPEC-ID 22) Browser Fingerprinting (CAPEC-ID 472) Session Credential Falsification through Prediction (CAPEC-ID 59) Reusing Session IDs (aka Session Replay) (CAPEC-ID 60) Using Slashes in Alternate Encoding (CAPEC-ID 79)