GHSA-pgq6-ccqj-hpqr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pgq6-ccqj-hpqr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pgq6-ccqj-hpqr/GHSA-pgq6-ccqj-hpqr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pgq6-ccqj-hpqr
- Aliases
-
- BIT-elasticsearch-2022-23708
- CVE-2022-23708
- Published
- 2022-03-04T00:00:15Z
- Modified
- 2024-02-20T05:24:42.092875Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Elasticsearch privilege escalation
- Details
-
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.
- Database specific
{ "nvd_published_at": "2022-03-03T22:15:00Z", "cwe_ids": [ "CWE-269" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-03-04T21:08:50Z" }- References
Affected packages
Maven / org.elasticsearch:elasticsearch
Package
- Name
- org.elasticsearch:elasticsearch
- View open source insights on deps.dev
- Purl
- pkg:maven/org.elasticsearch/elasticsearch