CVE-2018-17244

MEDIUM

Elasticsearch Security <6.4.2 - Info Disclosure

Title source: llm
STIX 2.1

Description

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.elastic.co/community/security
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/106318

Scores

CVSS v3 6.5
EPSS 0.0146
EPSS Percentile 70.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-362
Status published
Products (2)
elastic/elasticsearch 6.4.0 - 6.4.2
org.elasticsearch/elasticsearch 6.4.0 - 6.4.3Maven
Published Dec 20, 2018
Tracked Since Feb 18, 2026