CVE-2017-8441 — Incorrect Execution-Assigned Permissions in X-pack

CWE-279 — Incorrect Execution-Assigned Permissions CWE-200 — Sensitive Information Exposure3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 67.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic X-pack Elastic X-pack Security

Timeline

PublishedJun 5

Latest updateMay 13

Description

Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5elastic/x-pack_securityprior to 5.4.1 and 5.3.3

▶NVDelastic/x-pack5.3.0 — 5.3.3+1

🔴Vulnerability Details

GHSA

GHSA-5r8r-2h6m-393g: Elastic X-Pack Security versions prior to 5↗2022-05-13

▶

CVEList

CVE-2017-8441: Elastic X-Pack Security versions prior to 5↗2017-06-05

▶