CVE-2019-7614 (Medium) detected in elasticsearch-5.6.10.jar, elasticsearch-6.4.2.jar #299
Description
CVE-2019-7614 - Medium Severity Vulnerability
Vulnerable Libraries - elasticsearch-5.6.10.jar, elasticsearch-6.4.2.jar
elasticsearch-5.6.10.jar
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: cloud-pipeline/api/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.10/ab7febde50a92702bbbba83db69acd75bda4b25/elasticsearch-5.6.10.jar
Dependency Hierarchy:
- transport-5.6.10.jar (Root Library)
- ❌ elasticsearch-5.6.10.jar (Vulnerable Library)
elasticsearch-6.4.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: cloud-pipeline/billing-report-agent/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.4.2.jar (Vulnerable Library)
Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf
Found in base branch: develop
Vulnerability Details
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Publish Date: 2019-07-30
URL: CVE-2019-7614
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7614
Release Date: 2019-07-30
Fix Resolution: org.elasticsearch:elasticsearch:6.8.2;org.elasticsearch:elasticsearch:7.2.1