Information Exposure

Affecting org.elasticsearch:elasticsearch artifact, versions [6.4.0, 6.4.3)

Do your applications use this vulnerable package? Test your applications

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. It contained an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

Remediation

Upgrade org.elasticsearch:elasticsearch to version 6.4.3 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Credit
Unknown
CVE
CVE-2018-17244
CWE
CWE-200
Snyk ID
SNYK-JAVA-ORGELASTICSEARCH-460549
Disclosed
20 Dec, 2018
Published
02 Sep, 2019