Description
Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Affected products
- Elastic / Elasticsearch7.0.0 – 7.17.29
- Elastic / Elasticsearch8.0.0 – 8.19.7
- Elastic / Elasticsearch9.0.0 – 9.1.7
- Elastic / Elasticsearch9.2.0 – 9.2.1