CVE-2020-7010

Summary

Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Affected Software

VendorProductVersion RangeStatus
ElasticElastic Cloud on Kubernetesbefore 1.1.0affected

Weaknesses

  • CWE-335: CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References