CVE-2018-17244 (Medium) detected in elasticsearch-6.4.2.jar

[mend-for-github.aaakk.us.kg]

CVE-2018-17244 - Medium Severity Vulnerability

Vulnerable Library - elasticsearch-6.4.2.jar

Elasticsearch subproject :server

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: cloud-pipeline/billing-report-agent/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar,canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/6.4.2/29a4003b7e28ae8d8896041e2e16caa7c4272ee3/elasticsearch-6.4.2.jar

Dependency Hierarchy:

• ❌ elasticsearch-6.4.2.jar (Vulnerable Library)

Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf

Found in base branch: develop

Vulnerability Details

Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.

Publish Date: 2018-12-20

URL: CVE-2018-17244

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17244

Release Date: 2018-12-20

Fix Resolution: v6.4.3

---

⛑️ Automatic Remediation is available for this issue