{"id":"GHSA-gfv5-grx2-9jw2","summary":"Improper Privilege Management in Elasticsearch","details":"Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.","aliases":["BIT-elasticsearch-2020-7009","CVE-2020-7009"],"modified":"2024-02-21T05:33:01.378064Z","published":"2022-05-24T17:13:01Z","database_specific":{"severity":"HIGH","cwe_ids":["CWE-266","CWE-269"],"github_reviewed_at":"2022-06-23T18:02:18Z","nvd_published_at":"2020-03-31T19:15:00Z","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-7009"},{"type":"WEB","url":"https://discuss.elastic.co/t/elastic-stack-6-8-8-and-7-6-2-security-update/225920"},{"type":"PACKAGE","url":"https://github.com/elastic/elasticsearch"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20200403-0004"},{"type":"WEB","url":"https://www.elastic.co/community/security"}],"affected":[{"package":{"name":"org.elasticsearch:elasticsearch","ecosystem":"Maven","purl":"pkg:maven/org.elasticsearch/elasticsearch"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.8.8"}]}],"versions":["6.7.0","6.7.1","6.7.2","6.8.0","6.8.1","6.8.2","6.8.3","6.8.4","6.8.5","6.8.6","6.8.7"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gfv5-grx2-9jw2/GHSA-gfv5-grx2-9jw2.json","last_known_affected_version_range":"\u003c= 6.8.7"}},{"package":{"name":"org.elasticsearch:elasticsearch","ecosystem":"Maven","purl":"pkg:maven/org.elasticsearch/elasticsearch"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"7.0.0"},{"fixed":"7.6.2"}]}],"versions":["7.0.0","7.0.1","7.1.0","7.1.1","7.2.0","7.2.1","7.3.0","7.3.1","7.3.2","7.4.0","7.4.1","7.4.2","7.5.0","7.5.1","7.5.2","7.6.0","7.6.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gfv5-grx2-9jw2/GHSA-gfv5-grx2-9jw2.json","last_known_affected_version_range":"\u003c= 7.6.1"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}