Privilege Escalation in Elastic X-Pack Security by Elastic
CVE-2017-8438

8.8HIGH

Key Information:

Vendor
Elastic
Vendor
CVE Published:
5 June 2017

Summary

Elastic X-Pack Security versions 5.0.0 through 5.4.0 are susceptible to a privilege escalation vulnerability that affects the run_as functionality. This flaw disrupts the ability to transition to a user specified in a run_as request, especially when a role is created using a template with _user properties. If a specified run_as user does not exist, the intended transition fails, potentially allowing unauthorized access.

Affected Version(s)

X-Pack Security 5.0.0 to 5.4.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.