9 matches found
CVE-2017-8445
CVE-2017-8445 affects Elasticsearch X-Pack Security TLS trust manager in versions 5.0.0–5.5.1. If trust material reload fails, the trust manager can be replaced with an instance that trusts all certificates, potentially allowing any node using any certificate to join a cluster. The authenticated ...
CVE-2018-3822
Elastic X-Pack Security (part of Elasticsearch) versions 6.2.0–6.2.2 are affected by CVE-2018-3822 due to improper XML canonicalization and DOM traversal in the SAML implementation, enabling a user impersonation attack if the SAML IdP allows self-registration with arbitrary identifiers and an att...
CVE-2017-8438
Elastic X-Pack Security (Elasticsearch X-Pack Security) versions 5.0.0–5.4.0 contain a privilege escalation vulnerability in the run_as functionality. The bug prevents transitioning to the specified user in a run_as request, and can misbehave if a role template includes the _user properties or if...
CVE-2017-8450
CVE-2017-8450 concerns Elastic Stack: Elastic Kibana X-Pack 5.1.1. The issue is an information-disclosure vulnerability where document and field level security were not properly enforced for multi-search and multi-get requests, potentially allowing users without access to certain documents/fields...
CVE-2017-8449
CVE-2017-8449 affects Elastic X-Pack Security 5.2.x (Elasticsearch/Kibana). When field-level security rules for the same index are merged with a mix of grant and exclude rules, a user could see more fields than permitted. This has been documented by SUSE and OpenVAS plugins, with CVSS base scores...
CVE-2017-8447
Summary: CVE-2017-8447 affects Elastic Stack’s X-Pack Security. A bug in the privilege enforcement (versions 5.3.0–5.5.2) can let a user with either ‘delete’ or ‘index’ permissions issue both delete and index requests against the same index. This could enable unintended modification/permission re...
CVE-2017-8441
The CVE-2017-8441 issue affects Elastic X-Pack Security: versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This could allow a user with restricted permissions to view data they should not access when performing certain operations against an...
CVE-2017-8442
CVE-2017-8442 affects Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3. When enabled, the Elasticsearch _nodes API can leak sensitive configuration information, including paths and passphrases of SSL keys used by an authentication realm, potentially exposing credentials to an authenticated u...
CVE-2017-8448
CVE-2017-8448 affects Elastic X-Pack alerting in Elastic Stack versions 5.0.0–5.6.0, where the permission model allowed users mapped to certain built-in roles to create a watch that elevated their privileges. The issue stems from a privilege escalation vulnerability in the X-Pack alerting permiss...