CVE-2017-8438

Name of the Vulnerable Software and Affected Versions Elastic X-Pack Security versions 5.0.0 to 5.4.0

Description The issue is related to a privilege escalation bug in the run as functionality. This bug affects the transitioning into a specified user in a run as request. If a role has been created using a template containing the user properties, the behavior of run as will be incorrect. Furthermore, if the specified run as user does not exist, the transition will not occur.

Recommendations For Elastic X-Pack Security versions 5.0.0 to 5.4.0, consider restricting the use of the run as functionality until a fix is available. As a temporary workaround, ensure that all roles are created without using templates that contain the user properties, and verify the existence of the run as user before attempting to transition.