CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2017-8447
https://notcve.org/view.php?id=CVE-2017-8447
28 Sep 2017 — An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. Existe un error en torno al cumplimiento de los privilegios en X-Pack Security desde la versión 5.3.0 hasta la 5.5.2 Si un usuario tiene los permisos de "delete" o "index" en un índice en un clúster, podría enviar las peticiones de delete e index contra el índice. • https://discuss.elastic.co/t/x-pack-security-5-6-0-and-5-5-3-security-update/100089 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 15EXPL: 0CVE-2017-8448
https://notcve.org/view.php?id=CVE-2017-8448
28 Sep 2017 — An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. Existe un error en el modelo de permisos utilizado en X-Pack Alerting desde la versión 5.0.0 hasta la 5.6.0, en donde los usuarios que tienen integrados ciertos roles podrían crear un "watch" que haría que esos usuarios obtengan privilegios elevados. • https://discuss.elastic.co/t/x-pack-alerting-and-kibana-5-6-1-security-update/101884 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8446
https://notcve.org/view.php?id=CVE-2017-8446
18 Aug 2017 — The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data. La característica Reporting en X-Pack en versiones anteriores a la 5.5.2 y el plugin independiente Reporting en versiones anteriores a la 2.4.6 presentaba una vulnerabilidad de suplantación. Un usuario ... • https://www.elastic.co/community/security • CWE-269: Improper Privilege Management CWE-522: Insufficiently Protected Credentials •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8445
https://notcve.org/view.php?id=CVE-2017-8445
18 Aug 2017 — An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates. Se ha encontrado un error en el administrador de confianza X-Pack Security TLS en las versiones de la 5.0.0 a la 5.5.1. • https://www.elastic.co/community/security • CWE-295: Improper Certificate Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8442
https://notcve.org/view.php?id=CVE-2017-8442
07 Jul 2017 — Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. Elasticsearch X-Pack Security versiones desde 5.0.0 hasta 5.4.3, cuando está habilitada, pueden resultar en que la API _nodes de Elasticsearch filtre información con... • https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8450
https://notcve.org/view.php?id=CVE-2017-8450
16 Jun 2017 — X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. X-Pack 5.1.1 no aplicaba correctamente seguridad a nivel de documento y campo a las peticiones multi-search y multi-get, por lo que los usuarios sin acceso a un documento y/o campo podrían haber accedido a esta información. 1763-L16BBB, series A y B, en versiones 16.00 y anteriores; 1763-L16BWA, series A... • https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8449
https://notcve.org/view.php?id=CVE-2017-8449
16 Jun 2017 — X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. X-Pack Security 5.2.x permitiría el acceso a más campos de los que el usuario debería haber visto si las reglas de seguridad a nivel de campo empleasen una combinación de reglas grant y exclude al combinar múltiples reglas con reglas de seguridad a nivel de campo para el m... • https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2017-8438
https://notcve.org/view.php?id=CVE-2017-8438
05 Jun 2017 — Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege escalation bug in the run_as functionality. This bug prevents transitioning into the specified user specified in a run_as request. If a role has been created using a template that contains the _user properties, the behavior of run_as will be incorrect. Additionally if the run_as user specified does not exist, the transition will not happen. Las versiones 5.0.0 hasta 5.4.0 de Elastic X-Pack Security contienen un error de escalación de privil... • https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2017-8441
https://notcve.org/view.php?id=CVE-2017-8441
05 Jun 2017 — Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not always correctly apply Document Level Security to index aliases. This bug could allow a user with restricted permissions to view data they should not have access to when performing certain operations against an index alias. Elastic X-Pack Security versiones anteriores a 5.4.1 y 5.3.3 no siempre aplicaban correctamente la Seguridad de Nivel de Documento para los alias de índices. Este error podría permitir a un usuario con permisos restringido... • https://discuss.elastic.co/t/elastic-stack-5-4-1-and-5-3-3-security-updates/87952 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-279: Incorrect Execution-Assigned Permissions •