CVE-2022-23708

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-23708
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-23708.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-23708
Aliases
Downstream
Published
2022-03-03T22:15:08Z
Modified
2025-10-15T13:49:19.512312Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events

Affected versions

v7.*

v7.16.0
v7.16.1
v7.17.0

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a",
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "236836815310709596383608286106644790881",
                "196381633559554339088896249561089112903",
                "146873537089190934299820367594122268218",
                "334357347513489300173246355664845051067"
            ]
        },
        "id": "CVE-2022-23708-46868c56"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a",
        "signature_version": "v1",
        "target": {
            "function": "monitoringExporterGroupedSetting",
            "file": "x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java"
        },
        "digest": {
            "function_hash": "165482351688345707173695098433441287823",
            "length": 1319.0
        },
        "id": "CVE-2022-23708-5d0e65b7"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a",
        "signature_version": "v1",
        "target": {
            "function": "deprecatedAffixGroupedSetting",
            "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java"
        },
        "digest": {
            "function_hash": "81242662974819149104372912973832414697",
            "length": 1971.0
        },
        "id": "CVE-2022-23708-6a9a5cc6"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a",
        "signature_version": "v1",
        "target": {
            "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "142965958877837107677794816119383469250",
                "16841893402362179998478465353024513221",
                "206022478088870697769046647787008760564",
                "216095244516550820119455808353224037846",
                "46142714263656663437914612207197745209",
                "15088390182960363056546331595655444257",
                "234182045088025048292414092125412433047",
                "255272807197668761160103392865329307400",
                "117362707116158116788652207123491886620",
                "292421547288413531568142709484731301692",
                "304976113980423471330374207259607813425"
            ]
        },
        "id": "CVE-2022-23708-7138c559"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a",
        "signature_version": "v1",
        "target": {
            "function": "deprecatedAffixSetting",
            "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java"
        },
        "digest": {
            "function_hash": "1789796353482668074025554634844605557",
            "length": 1194.0
        },
        "id": "CVE-2022-23708-7b0c41ec"
    }
]