CVE-2017-8449Incorrect Permission Assignment in X-pack

CWE-732Incorrect Permission AssignmentCWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 50.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Elastic X-packElastic X-pack Security
Timeline
PublishedJun 16
Latest updateMay 13

Description

X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5elastic/elastic_x-pack_securitybefore 5.3.0
NVDelastic/x-pack5.2.05.2.2

🔴Vulnerability Details

2
GHSA
GHSA-wx3g-r3fp-jg5g: X-Pack Security 52022-05-13
CVEList
CVE-2017-8449: X-Pack Security 52017-06-16

💥Exploits & PoCs

1
Exploit-DB
Microsoft Windows - 'CiSetFileCache' WDAC Security Feature Bypass TOCTOU2018-09-19
CVE-2017-8449 — Incorrect Permission Assignment | cvebase