CVE-2020-7009: Improper Privilege Management in Elasticsearch
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.87911%
CWE
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.elasticsearch:elasticsearch | maven | >= 6.7.0, <= 6.8.7 | 6.8.8 |
org.elasticsearch:elasticsearch | maven | >= 7.0.0, <= 7.6.1 | 7.6.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers around improper privilege management during API key creation. Elasticsearch's API key generation logic (handled by ApiKeyService
) is the primary suspect, as the advisory explicitly states the flaw occurs when attackers create API keys. The mitigation involves disabling API keys entirely, further implicating this component. While no direct code diffs are provided, the combination of the vulnerability description, CWE mapping to privilege assignment flaws, and standard Elasticsearch security architecture strongly points to the createApiKey
method as the vulnerable entry point.