CVE-2018-17244 is a vulnerability in Elasticsearch
Published on December 20, 2018
Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
Weakness Type
What is a Race Condition Vulnerability?
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
CVE-2018-17244 has been classified to as a Race Condition vulnerability or weakness.
Products Associated with CVE-2018-17244
Want to know whenever a new CVE is published for Elasticsearch? stack.watch will email you.
Affected Versions
Elasticsearch Version 6.4.0 to 6.4.2 is affected by CVE-2018-17244Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.