Improper Privilege Management in Elasticsearch
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 27, 2023
Package
Affected versions
>= 6.7.0, <= 6.8.7
>= 7.0.0, <= 7.6.1
Patched versions
6.8.8
7.6.2
Description
Published by the National Vulnerability Database
Mar 31, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jun 23, 2022
Last updated
Jan 27, 2023
Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys. An attacker who is able to generate an API key can perform a series of steps that result in an API key being generated with elevated privileges.
References