PT-2022-16218 · Elastic · Elasticsearch
Published
2022-03-03
·
Updated
2024-03-06
·
CVE-2022-23708
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Elasticsearch versions 7.16 through 7.17.0
Description
A flaw was discovered in Elasticsearch's upgrade assistant, which occurs when upgrading from version 6.x to 7.x, disabling the in-built protections on the security index. This allows authenticated users with "*" index permissions access to this index.
Recommendations
For versions 7.16 through 7.17.0, upgrade to 7.17.1 to resolve the issue.
For users planning to upgrade from 6.x, use version 7.17.1 or later for the upgrade to avoid the vulnerability.
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Elasticsearch