GHSA-pgq6-ccqj-hpqr

Suggest an improvement
Source
https://github.com/advisories/GHSA-pgq6-ccqj-hpqr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pgq6-ccqj-hpqr/GHSA-pgq6-ccqj-hpqr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pgq6-ccqj-hpqr
Aliases
Published
2022-03-04T00:00:15Z
Modified
2024-02-20T05:24:42.092875Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Elasticsearch privilege escalation
Details

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.

References

Affected packages

Maven / org.elasticsearch:elasticsearch

Package

Name
org.elasticsearch:elasticsearch
View open source insights on deps.dev
Purl
pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.16.0
Fixed
7.17.1

Affected versions

7.*

7.16.0
7.16.1
7.16.2
7.16.3
7.17.0