QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-17244

Back to search

CVE-2018-17244

Published: Dec 20, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

VendorProductVersions

Elastic

Elasticsearch

affected
6.4.0 to 6.4.2

Weaknesses (CWE)

CWE-362

References

106318
vdb-entry
x_refsource_BID

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now