CVE-2017-8449: Infoleak
First published: Fri Jun 16 2017(Updated: )
X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic | >=5.2.0<=5.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-8449?
CVE-2017-8449 has a moderate severity rating due to potential unauthorized access to sensitive data.
How do I fix CVE-2017-8449?
To fix CVE-2017-8449, upgrade to a version of X-Pack Security that is later than 5.2.2.
What kind of access does CVE-2017-8449 allow?
CVE-2017-8449 allows users to access more fields than they are permitted to view due to misconfigured field level security rules.
Which versions of Elastic X-Pack are affected by CVE-2017-8449?
CVE-2017-8449 affects Elastic X-Pack versions from 5.2.0 to 5.2.2 inclusive.
Is CVE-2017-8449 specific to certain indices?
Yes, CVE-2017-8449 is specific to indices where field level security rules have mixed grant and exclude configurations.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/author
- agent/references
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/elastic
- canonical/elastic
- version/elastic/5.2.0
- version/elastic/5.2.2