CVE-2018-17244
published 2018-12-20CVE-2018-17244: Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP…
PriorityP336medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EPSS
1.46%
70.2th percentile
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | 6.4.0 – 6.4.2 | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
elasticsearch: Information Exposure due to improper set request headers
vendor_redhat·2018-11-06·CVSS 6.5
CVE-2018-17244 [MEDIUM] CWE-200 elasticsearch: Information Exposure due to improper set request headers
elasticsearch: Information Exposure due to improper set request headers
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Package: elasticsearch (Red Hat Decision Manager 7) - Not affected
Package: elasticsearch (Red Hat Fuse 7) - Not affected
Package: elasticsearch (Red Hat JBoss Fuse 6) - Out of support scope
Package: elasticsearch (Red Hat OpenShift Container Platform 3.10) -
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
osv·2022-05-13
CVE-2018-17244 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
ghsa·2022-05-13
CVE-2018-17244 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Exposure of Sensitive Information to an Unauthorized Actor in Elasticsearch
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers [fedora-all]
bugzilla·2018-12-21·CVSS 6.5
CVE-2018-17244 [MEDIUM] CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers [fedora-all]
CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers
bugzilla·2018-12-21·CVSS 6.5
CVE-2018-17244 [MEDIUM] CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers
CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
References:
https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
https://www.elastic.co/community/security
Discussion:
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1661627]
---
Thi
http://www.securityfocus.com/bid/106318https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594https://www.elastic.co/community/securityhttp://www.securityfocus.com/bid/106318https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594https://www.elastic.co/community/security
2018-12-20
Published