CVE-2017-8449 - Vulnerability Details - OpenCVE

X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00262.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	X-pack

Configuration 1 [-]

cpe:2.3:a:elastic:x-pack:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2017-17399	X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.elastic.co/community/security

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2017-06-16T21:00:00

Updated: 2024-08-05T16:34:23.089Z

Reserved: 2017-05-02T00:00:00

Link: CVE-2017-8449

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-06-16T21:29:00.603

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-8449

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Elastic X-Pack Security", "vendor": "Elastic", "versions": [{"status": "affected", "version": "before 5.3.0"}]}], "datePublic": "2017-03-28T00:00:00", "descriptions": [{"lang": "en", "value": "X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-06-16T20:57:02", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.elastic.co/community/security"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2017-8449", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elastic X-Pack Security", "version": {"version_data": [{"version_value": "before 5.3.0"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}]}, "references": {"reference_data": [{"name": "https://www.elastic.co/community/security", "refsource": "CONFIRM", "url": "https://www.elastic.co/community/security"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:34:23.089Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.elastic.co/community/security"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2017-8449", "datePublished": "2017-06-16T21:00:00", "dateReserved": "2017-05-02T00:00:00", "dateUpdated": "2024-08-05T16:34:23.089Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:x-pack:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E741770-9008-443C-8CDE-98FB54AB3762", "versionEndIncluding": "5.2.2", "versionStartIncluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index."}, {"lang": "es", "value": "X-Pack Security 5.2.x permitir\u00eda el acceso a m\u00e1s campos de los que el usuario deber\u00eda haber visto si las reglas de seguridad a nivel de campo empleasen una combinaci\u00f3n de reglas grant y exclude al combinar m\u00faltiples reglas con reglas de seguridad a nivel de campo para el mismo \u00edndice. 1763-L16BBB, series A y B, en versiones 16.00 y anteriores; 1763-L16BWA, series A y B, en versiones 16.00 y anteriores; 1763-L16DWD, series A y B, en versiones 16.00 y anteriores; y los controladores l\u00f3gicos programables Allen-Bradley MicroLogix 1400 1766-L32AWA, series A y B, en versiones 16.00 y anteriores; 1766-L32BWA, series A y B, en versiones 16.00 y anteriores; 1766-L32BWAA, series A y B, en versiones 16.00 y anteriores; 1766-L32BXB, series A y B, en versiones 16.00 y anteriores; 1766-L32BXBA, series A y B, en versiones 16.00 y anteriores; y 1766-L32AWAA, series A y B, en versiones 16.00 y anteriores. Se generan n\u00fameros de secuencia inicial TCP que no son lo suficientemente aleatorios, lo que podr\u00eda permitir que un atacante prediga los n\u00fameros de valores anteriores. Esto podr\u00eda permitir que un atacante suplante o interrumpa las conexiones TCP, lo que resulta en una denegaci\u00f3n de servicio (DoS) para el dispositivo objetivo."}], "id": "CVE-2017-8449", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-16T21:29:00.603", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "bressers@elastic.co", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}