Lucene search

GoogleOSV:BIT-ELASTICSEARCH-2022-23708

HistoryMar 06, 2024 - 10:52 a.m.

BIT-elasticsearch-2022-23708

2024-03-0610:52:31

Google

osv.dev

flaw

discovered

elasticsearch

upgrade

assistant

version 6.x

version 7.x

in-built

protections

security index

authenticated users

permissions

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.7%

JSON

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.

CPENameOperatorVersion
elasticsearchge7.16.0
elasticsearchlt7.17.1

CPE	Name	Operator	Version
	elasticsearch	ge	7.16.0
	elasticsearch	lt	7.17.1

References

discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447

security.netapp.com/advisory/ntap-20220729-0003/

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.7%

JSON

Related for OSV:BIT-ELASTICSEARCH-2022-23708