In Elasticsearch versions 6.0.0-beta1 to 6.2.4 a disclosure flaw was found in the snapshot API. When the accesskey and security_key parameters are set using the _snapshot API they can be exposed as plain text by users able to query the _snapshot API.
{
"cpe": [
"cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
"cpe:2.3:a:elastic:elasticsearch:6.0.0:beta1:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "6.0.0"
},
{
"last_affected": "6.2.4"
},
{
"introduced": "6.0.0-beta1"
},
{
"last_affected": "6.0.0-beta1"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}