First published: Wed Sep 19 2018(Updated: )
In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 it was discovered that a user could scale out allocators on new hosts with an invalid roles token. An attacker with access to the previous runner ID and IP address of the coordinator-host could add a allocator to an existing ECE install to gain access to other clusters data.
Credit: bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Elastic Cloud Enterprise | <1.1.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-3829 is a vulnerability discovered in Elastic Cloud Enterprise (ECE) versions prior to 1.1.4.
CVE-2018-3829 has a severity rating of medium with a CVSS score of 5.3.
CVE-2018-3829 allows an attacker with access to the previous runner ID and IP address of the coordinator-host to add an allocator to an existing ECE install.
To fix CVE-2018-3829, you should update Elastic Cloud Enterprise to version 1.1.4 or later.
Yes, you can find additional information about CVE-2018-3829 at the following links:<br> - [Elastic discussion forum](https://discuss.elastic.co/t/elastic-cloud-enterprise-1-1-4-security-update/135778)<br> - [Elastic security page](https://www.elastic.co/community/security)