Skip to content

Privilege Escalation Flaw in Elasticsearch

Moderate severity GitHub Reviewed Published Mar 18, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven org.elasticsearch:elasticsearch (Maven)

Affected versions

>= 6.7.0, < 6.8.8
>= 7.0.0, < 7.6.2

Patched versions

6.8.8
7.6.2

Description

The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.

References

Published by the National Vulnerability Database Jun 3, 2020
Reviewed Mar 16, 2021
Published to the GitHub Advisory Database Mar 18, 2021
Last updated Feb 1, 2023

Severity

Moderate

EPSS score

0.104%
(44th percentile)

Weaknesses

CVE ID

CVE-2020-7014

GHSA ID

GHSA-hqqv-9x3v-mp7w

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.