CVE-2019-7619
username disclosure vulnerability in elasticsearch (Maven)
What is CVE-2019-7619 About?
This vulnerability is a username disclosure flaw in the Elasticsearch API Key service, allowing an unauthenticated attacker to determine the existence of usernames. This information leakage could aid attackers in subsequent brute-force or social engineering attacks, making it a reconnaissance-level vulnerability that is simple to exploit. It exposes sensitive user account information which can be leveraged for further attacks.
Affected Software
- org.elasticsearch:elasticsearch
- >=6.7.0, <6.8.4
- >=7.0.0, <7.4.0
Technical Details
The flaw resides within the API Key service of Elasticsearch. An unauthenticated attacker can send a specifically crafted request to this service. By observing differing responses or timings (e.g., error messages for non-existent users vs. other responses for existing ones, or subtle timing differences), the attacker can determine if a given username exists within the Elasticsearch native realm. This provides valuable reconnaissance for attackers, allowing them to gather valid usernames without authentication, which can then be used for targeted attacks like password guessing or credential stuffing.
What is the Impact of CVE-2019-7619?
Successful exploitation may allow attackers to enumerate valid usernames, aiding in subsequent brute-force attacks or social engineering efforts.
What is the Exploitability of CVE-2019-7619?
Exploitation is simple and requires no authentication or specific privileges, as it can be performed by an unauthenticated attacker. It involves sending a specially crafted request to the Elasticsearch API Key service. This is a remote exploitation scenario, typically requiring only network access to the Elasticsearch instance. The primary risk factor is the public exposure of the Elasticsearch API, making it an easy target for attackers seeking to gather reconnaissance information on user accounts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-7619?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- >=6.7.0, <6.8.4 → Upgrade to 6.8.4
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.4.0 → Upgrade to 7.4.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
- https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831
- https://discuss.elastic.co/t/elastic-stack-6-8-4-security-update/204908
- https://github.com/elastic/elasticsearch
- https://www.elastic.co/community/security
- https://osv.dev/vulnerability/GHSA-hxp8-r9g3-grfr
- https://nvd.nist.gov/vuln/detail/CVE-2019-7619
- https://www.elastic.co/community/security
- https://discuss.elastic.co/t/elastic-stack-7-4-0-security-update/201831
What are Similar Vulnerabilities to CVE-2019-7619?
Similar Vulnerabilities: CVE-2021-41221 , CVE-2017-1000494 , CVE-2021-36531 , CVE-2020-25866 , CVE-2023-41005
