TLS Trust Manager Vulnerability in X-Pack Security by Elastic
CVE-2017-8445

5.5MEDIUM

Key Information:

Vendor
Elastic
Vendor
CVE Published:
18 August 2017

Summary

A vulnerability exists in the X-Pack Security TLS trust manager, affecting versions 5.0.0 to 5.5.1. In situations where trust material reloading fails, the TLS trust manager could be replaced by an instance that bypasses certificate validation, allowing any node with any certificate to connect to the cluster. This presents a significant risk as it undermines the intended security measures, which should involve rejecting untrusted certificates to maintain secure communications between nodes.

Affected Version(s)

Elastic X-Pack Security 5.0.0 to 5.5.1

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.