CVE-2018-17244 (Medium) detected in elasticsearch-6.4.2.jar #89
Description
CVE-2018-17244 - Medium Severity Vulnerability
Vulnerable Library - elasticsearch-6.4.2.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: cloud-pipeline/billing-report-agent/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar
Dependency Hierarchy:
- ❌ elasticsearch-6.4.2.jar (Vulnerable Library)
Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf
Found in base branch: develop
Vulnerability Details
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Publish Date: 2018-12-20
URL: CVE-2018-17244
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17244
Release Date: 2018-12-20
Fix Resolution: v6.4.3
⛑️ Automatic Remediation is available for this issue