An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2023-11-22T01:45:21.008Z

Updated: 2024-08-04T01:30:08.934Z

Reserved: 2021-08-03T20:49:52.461Z

Link: CVE-2021-37937

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-11-22T02:15:42.043

Modified: 2024-11-21T06:16:06.437

Link: CVE-2021-37937

cve-icon Redhat

No data.