{"id":"CVE-2018-3831","details":"Elasticsearch Alerting and Monitoring in versions before 6.4.1 or 5.6.12 have an information disclosure issue when secrets are configured via the API. The Elasticsearch _cluster/settings API, when queried, could leak sensitive configuration information such as passwords, tokens, or usernames. This could allow an authenticated Elasticsearch user to improperly view these details.","aliases":["GHSA-r9fv-qpm9-rj4g"],"modified":"2026-05-08T14:29:28.974676Z","published":"2018-09-19T19:29:01.343Z","references":[{"type":"ADVISORY","url":"https://discuss.elastic.co/t/elastic-stack-6-4-1-and-5-6-12-security-update/149035"},{"type":"ADVISORY","url":"https://www.elastic.co/community/security"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elastic/elasticsearch","events":[{"introduced":"781a83507f0598b36512cba088ffeefa73b4bbe6"},{"fixed":"cfe3d9f611a328cfffc18b445b3aecb016349514"},{"introduced":"8f0685b924b9159807704ec2593b26e28105da44"},{"fixed":"e36acdb78ec6499be861ae1b2dac264cce2f8b10"}],"database_specific":{"extracted_events":[{"introduced":"5.6.0"},{"fixed":"5.6.12"},{"introduced":"6.0.0"},{"fixed":"6.4.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*"}}],"versions":["v5.6.0","v5.6.1","v5.6.10","v5.6.11","v5.6.2","v5.6.3","v5.6.4","v5.6.5","v5.6.6","v5.6.7","v5.6.8","v5.6.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-3831.json","vanir_signatures":[{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/cfe3d9f611a328cfffc18b445b3aecb016349514","signature_type":"Function","digest":{"length":627,"function_hash":"245112205843880558279750546596623543392"},"id":"CVE-2018-3831-7bfde369","signature_version":"v1","target":{"file":"core/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterGetSettingsAction.java","function":"renderResponse"}},{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/cfe3d9f611a328cfffc18b445b3aecb016349514","signature_type":"Function","digest":{"length":178,"function_hash":"75304332167645952264038636458838984850"},"id":"CVE-2018-3831-ad9844ea","signature_version":"v1","target":{"file":"core/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterGetSettingsAction.java","function":"buildResponse"}},{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/cfe3d9f611a328cfffc18b445b3aecb016349514","signature_type":"Line","digest":{"line_hashes":["6050237913006087601073254437585209538","60107012639700574181679274837344128155","191985491623229440854892413422071989202","257781946815554066480098114691559078424","162021931871336335277611178417699507228","23533146067636190421457415933876078590","166486716429780431734718460423427091230","215378831698413253306184269978881240233","231673356455399862132121384358453987044","244385425659389697684007892909835193709","321105069801722557791981137812402290563","336015527414474895599322750453760734251","60217913526744787811157881069907679513","178507123970851705023752893050436715665","6108261966285638391720942036084092028","294624781573481223266925533903653991191","10065298344469674431239282135786861255","223202977539096721608570789349325717939","149140557998146579917920204755253441503","143779210919278777433923788158833267046","278196845290163914227463647169457571730","206087138854520942778615863726687763384"],"threshold":0.9},"id":"CVE-2018-3831-ca6da352","signature_version":"v1","target":{"file":"core/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterGetSettingsAction.java"}},{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/cfe3d9f611a328cfffc18b445b3aecb016349514","signature_type":"Function","digest":{"length":676,"function_hash":"53902283460885638904433042963012187388"},"id":"CVE-2018-3831-dc55ede5","signature_version":"v1","target":{"file":"core/src/main/java/org/elasticsearch/rest/action/admin/cluster/RestClusterGetSettingsAction.java","function":"prepareRequest"}},{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/e36acdb78ec6499be861ae1b2dac264cce2f8b10","signature_type":"Line","digest":{"line_hashes":["331229147510554549826809874914935124924","254276209446272384044583753062389201190","27537866461400125577129015498685620922","216225618808138297959660794076370556467"],"threshold":0.9},"id":"CVE-2018-3831-ef2b39e8","signature_version":"v1","target":{"file":"x-pack/plugin/sql/jdbc/src/main/java/org/elasticsearch/xpack/sql/jdbc/jdbc/JdbcDatabaseMetaData.java"}},{"deprecated":false,"source":"https://github.com/elastic/elasticsearch/commit/e36acdb78ec6499be861ae1b2dac264cce2f8b10","signature_type":"Function","digest":{"length":55,"function_hash":"294050113117428528900130259615950086876"},"id":"CVE-2018-3831-fa22d5e0","signature_version":"v1","target":{"file":"x-pack/plugin/sql/jdbc/src/main/java/org/elasticsearch/xpack/sql/jdbc/jdbc/JdbcDatabaseMetaData.java","function":"getCatalogSeparator"}}],"vanir_signatures_modified":"2026-05-08T14:29:28Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}