CVE-2017-8438
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
05/06/2017
Last modified:
20/04/2025
Description
Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:elastic:x-pack:5.0.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.0.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.1.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:elastic:x-pack:5.4.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952
- https://www.elastic.co/blog/elasticsearch-5-4-1-and-5-3-3-released
- https://www.elastic.co/community/security
- https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952
- https://www.elastic.co/blog/elasticsearch-5-4-1-and-5-3-3-released
- https://www.elastic.co/community/security