UBUNTU-CVE-2020-7018

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2020-7018
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-7018.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2020-7018
Upstream
  • CVE-2020-7018
Published
2020-08-18T17:15:00Z
Modified
2025-10-24T04:48:18Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - negligible
Summary
[none]
Details

Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator.

References

Affected packages

Ubuntu:16.04:LTS / elasticsearch

Package

Name
elasticsearch
Purl
pkg:deb/ubuntu/elasticsearch@1.7.3+dfsg-3?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.6.2+dfsg-1
1.7.3+dfsg-1
1.7.3+dfsg-2
1.7.3+dfsg-3

Ecosystem specific 

{
    "binaries": [
        {
            "binary_version": "1.7.3+dfsg-3",
            "binary_name": "elasticsearch"
        },
        {
            "binary_version": "1.7.3+dfsg-3",
            "binary_name": "libelasticsearch1.7-java"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-7018.json"