CVE-2018-3825 Vulnerability Details

  /     /     /  

CVE-2018-3825 Metadata Quick Info

CVE Published: 19/09/2018 | CVE Updated: 05/08/2024 | CVE Year: 2018
Source: elastic | Vendor: Elastic | Product: Elastic Cloud Enterprise (ECE)
Status : PUBLISHED

---

CVE-2018-3825 Description

In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can connect to ZooKeeper directly they would be able to access configuration information of other tenants if their cluster ID is known.

Metrics

CVSS Version: 3.1 | Base Score: n/a
Vector: n/a

l➤ Exploitability Metrics:
    Attack Vector (AV)*
    Attack Complexity (AC)*
    Privileges Required (PR)*
    User Interaction (UI)*
    Scope (S)*

l➤ Impact Metrics:
    Confidentiality Impact (C)*
    Integrity Impact (I)*
    Availability Impact (A)*

Weakness Enumeration (CWE)

CWE-ID: CWE-321
CWE Name: CWE-321: Use of Hard-coded Cryptographic Key
Source: Elastic

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).