GHSA-pgq6-ccqj-hpqr

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-pgq6-ccqj-hpqr/GHSA-pgq6-ccqj-hpqr.json
Aliases
  • CVE-2022-23708
Published
2022-03-04T00:00:15Z
Modified
2022-08-15T08:39:08.966502Z
Details

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.

References

Affected packages

Maven / org.elasticsearch:elasticsearch

org.elasticsearch:elasticsearch

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.16.0
Fixed
7.17.1

Affected versions

7.*

7.16.0
7.16.1
7.16.2
7.16.3
7.17.0