Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2018-12-20T22:00:00

Updated: 2024-08-05T10:47:04.105Z

Reserved: 2018-09-20T00:00:00

Link: CVE-2018-17244

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-12-20T22:29:00.240

Modified: 2024-11-21T03:54:09.017

Link: CVE-2018-17244

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-11-06T00:00:00Z

Links: CVE-2018-17244 - Bugzilla