Privilege Escalation in Elastic X-Pack Security by Elastic
CVE-2017-8438
8.8HIGH
Summary
Elastic X-Pack Security versions 5.0.0 through 5.4.0 are susceptible to a privilege escalation vulnerability that affects the run_as functionality. This flaw disrupts the ability to transition to a user specified in a run_as request, especially when a role is created using a template with _user properties. If a specified run_as user does not exist, the intended transition fails, potentially allowing unauthorized access.
Affected Version(s)
X-Pack Security 5.0.0 to 5.4.0
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved