#VU21429 Race condition in Elasticsearch - CVE-2019-7614

Cybersecurity Help s.r.o.

Published: 2019-09-30

Vulnerability identifier: #VU21429

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-7614

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Elasticsearch
Web applications / Other software

Vendor: Elastic Stack

Description

The vulnerability allows a remote attacker gain access to sensitive information.

The vulnerability exists due to a race condition error when processing multiple concurrent requests from different users. A remote authenticated user can access response headers with sensitive information from another user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Elasticsearch: 6.8.0 - 6.8.1, 7.2.0

External links
https://www.elastic.co/community/security/ (ESA-2019-07)

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Elasticsearch