CVE-2020-7009

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-7009

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7009.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-7009

Aliases

Downstream

UBUNTU-CVE-2020-7009

Published

2020-03-31T19:15:14.447Z

Modified

2026-02-05T05:38:00.116330Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Elasticsearch versions from 6.7.0 before 6.8.8 and 7.0.0 before 7.6.2 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

8453f7701de25c467ce08088ddddac185cb8028c

Fixed

2f4c2240ecfc520baef4353a726f13fc59c12066

Introduced

b7e28a7232616c7a21bc879a535d801b8553ba77

Fixed

ef48eb35cf30adf4db14086e8aabd07ef6fb113f

Affected versions

v6.*

v6.7.0

v6.7.1

v6.7.2

v6.8.0

v6.8.1

v6.8.2

v6.8.3

v6.8.4

v6.8.5

v6.8.6

v6.8.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7009.json"

vanir_signatures

[
    {
        "id": "CVE-2020-7009-ce6852db",
        "target": {
            "file": "buildSrc/src/main/java/org/elasticsearch/gradle/test/DistroTestPlugin.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "141220707678054705745522305309040454462",
                "158424970524078855021575664188388536274",
                "168165956481179781256416093989954890155",
                "229144230071102220520223938177773900760",
                "215768383982142562647290196310337018600",
                "190980073495807060676851547796513033226",
                "333735107382115999112409131379637046661",
                "87411123562615438936629259441859462907",
                "27044359176411794464378468348369271497",
                "137538088923642007219958797903970617488",
                "139230527099308005861097624179593880154",
                "110417774001167584680810970205720355574",
                "330881739204447203942678233789401326607",
                "174898642828437128754699546969061413902",
                "117686705537864882919318867788300419527",
                "91246983906720789385337868592268029711"
            ]
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2020-7009-f78b34cc",
        "target": {
            "function": "apply",
            "file": "buildSrc/src/main/java/org/elasticsearch/gradle/test/DistroTestPlugin.java"
        },
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
        "digest": {
            "function_hash": "67819099224607828614636832684374336454",
            "length": 2541.0
        },
        "signature_type": "Function"
    }
]