The host is installed with Elasticsearch 6.7.x through 6.8.3 and 7.x through 7.3.2 and is prone to an information disclosure vulnerability. A flaw is present in the application, which fails to handle an issue in API Key service. Successful exploitation could allow attackers to send a specially crafted request and determine if a username exists in the Elasticsearch native realm.