CVE-2020-7010

EPSS 0.35%
Published 03.06.2020 18:15:22
Last modified 21.11.2024 05:36:29
Source bressers@elastic.co
Teams watchlist Login
Open Login

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Elastic ≫ Elastic Cloud On Kubernetes Version < 1.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.35%	0.549

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

https://www.elastic.co/community/security/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-7010

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-7010

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-7010

EUVD