CVE-2018-17244

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-17244

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17244.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-17244

Aliases

GHSA-vpqm-88c4-x4cv

Published

2018-12-20T22:29:00Z

Modified

2024-09-03T02:08:38.084573Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

595516e45d054483dcdaf12f0468a59cb34bb568

Last affected

04711c21227efda954d15c23857ad04b9f669076

Affected versions

v6.*

v6.4.0

v6.4.1

v6.4.2