Fedora Account System
Red Hat Associate
Red Hat Customer
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to. References: https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594 https://www.elastic.co/community/security
Created elasticsearch tracking bugs for this issue: Affects: fedora-all [bug 1661627]
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-17244