Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials generated by ECK.

Affected Packages

Go github.com/elastic/cloud-on-k8s

Affected versions: 0 (fixed in 1.1.0)

Related CVEs

CVE-2020-7010

Key Information

GHSA ID

GHSA-vfp4-xx6m-7vf6

Published

February 15, 2022 1:57 AM

Last Modified

February 12, 2024 3:33 PM

CVSS Score

7.5 /10

Primary Ecosystem

Primary Package

github.com/elastic/cloud-on-k8s

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.