CVE-2017-8448
https://notcve.org/view.php?id=CVE-2017-8448
An error was found in the permission model used by X-Pack Alerting 5.0.0 to 5.6.0 whereby users mapped to certain built-in roles could create a watch that results in that user gaining elevated privileges. Existe un error en el modelo de permisos utilizado en X-Pack Alerting desde la versión 5.0.0 hasta la 5.6.0, en donde los usuarios que tienen integrados ciertos roles podrían crear un "watch" que haría que esos usuarios obtengan privilegios elevados. • https://discuss.elastic.co/t/x-pack-alerting-and-kibana-5-6-1-security-update/101884 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVE-2017-8447
https://notcve.org/view.php?id=CVE-2017-8447
An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enforcement. If a user has either 'delete' or 'index' permissions on an index in a cluster, they may be able to issue both delete and index requests against that index. Existe un error en torno al cumplimiento de los privilegios en X-Pack Security desde la versión 5.3.0 hasta la 5.5.2 Si un usuario tiene los permisos de "delete" o "index" en un índice en un clúster, podría enviar las peticiones de delete e index contra el índice. • https://discuss.elastic.co/t/x-pack-security-5-6-0-and-5-5-3-security-update/100089 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVE-2017-8446
https://notcve.org/view.php?id=CVE-2017-8446
The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data. La característica Reporting en X-Pack en versiones anteriores a la 5.5.2 y el plugin independiente Reporting en versiones anteriores a la 2.4.6 presentaba una vulnerabilidad de suplantación. Un usuario con el papel de reporting_user podría ejecutar un informe con los permisos de otro usuario que informa, obteniendo así acceso a datos sensibles. • https://www.elastic.co/community/security • CWE-269: Improper Privilege Management CWE-522: Insufficiently Protected Credentials •
CVE-2017-8445
https://notcve.org/view.php?id=CVE-2017-8445
An error was found in the X-Pack Security TLS trust manager for versions 5.0.0 to 5.5.1. If reloading the trust material fails the trust manager will be replaced with an instance that trusts all certificates. This could allow any node using any certificate to join a cluster. The proper behavior in this instance is for the TLS trust manager to deny all certificates. Se ha encontrado un error en el administrador de confianza X-Pack Security TLS en las versiones de la 5.0.0 a la 5.5.1. • https://www.elastic.co/community/security • CWE-295: Improper Certificate Validation •
CVE-2017-8442
https://notcve.org/view.php?id=CVE-2017-8442
Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, can result in the Elasticsearch _nodes API leaking sensitive configuration information, such as the paths and passphrases of SSL keys that were configured as part of an authentication realm. This could allow an authenticated Elasticsearch user to improperly view these details. Elasticsearch X-Pack Security versiones desde 5.0.0 hasta 5.4.3, cuando está habilitada, pueden resultar en que la API _nodes de Elasticsearch filtre información confidencial de configuración, como las paths y frases de contraseña de las claves SSL que se configuraron como parte de un realm de autenticación. Esto podría permitir que un usuario autenticado de Elasticsearch visualice inapropiadamente estos detalles. • https://www.elastic.co/community/security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •