CVE-2017-8446
18.08.2017, 20:29
The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.Enginsight
| Vendor | Product | Version |
|---|---|---|
| elasticsearch | x-pack | 𝑥 ≤ 5.5.1 |
| elasticsearch | x-pack_reporting | 𝑥 ≤ 2.4.5 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-522 - Insufficiently Protected CredentialsThe product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- CWE-269 - Improper Privilege ManagementThe software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.