Bug 1661626 (CVE-2018-17244) - CVE-2018-17244 elasticsearch: Information Exposure due to improper set request headers
Summary: CVE-2018-17244 elasticsearch: Information Exposure due to improper set reques...
Keywords:
Status: NEW
Alias: CVE-2018-17244
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181106,repor...
Depends On: 1661627
Blocks: 1661628
TreeView+ depends on / blocked
 
Reported: 2018-12-21 19:43 UTC by Laura Pardo
Modified: 2019-05-15 22:50 UTC (History)
21 users (show)

Fixed In Version: elasticsearch 6.4.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Laura Pardo 2018-12-21 19:43:33 UTC
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.


References:
https://discuss.elastic.co/t/elastic-stack-6-4-3-and-5-6-13-security-update/155594
https://www.elastic.co/community/security

Comment 1 Laura Pardo 2018-12-21 19:43:46 UTC
Created elasticsearch tracking bugs for this issue:

Affects: fedora-all [bug 1661627]

Comment 4 Joshua Padman 2019-05-15 22:50:44 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.


Note You need to log in before you can comment on or make changes to this bug.