A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
[ { "signature_type": "Line", "deprecated": false, "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a", "signature_version": "v1", "target": { "file": "x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java" }, "digest": { "threshold": 0.9, "line_hashes": [ "236836815310709596383608286106644790881", "196381633559554339088896249561089112903", "146873537089190934299820367594122268218", "334357347513489300173246355664845051067" ] }, "id": "CVE-2022-23708-46868c56" }, { "signature_type": "Function", "deprecated": false, "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a", "signature_version": "v1", "target": { "function": "monitoringExporterGroupedSetting", "file": "x-pack/plugin/deprecation/src/test/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecksTests.java" }, "digest": { "function_hash": "165482351688345707173695098433441287823", "length": 1319.0 }, "id": "CVE-2022-23708-5d0e65b7" }, { "signature_type": "Function", "deprecated": false, "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a", "signature_version": "v1", "target": { "function": "deprecatedAffixGroupedSetting", "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java" }, "digest": { "function_hash": "81242662974819149104372912973832414697", "length": 1971.0 }, "id": "CVE-2022-23708-6a9a5cc6" }, { "signature_type": "Line", "deprecated": false, "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a", "signature_version": "v1", "target": { "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java" }, "digest": { "threshold": 0.9, "line_hashes": [ "142965958877837107677794816119383469250", "16841893402362179998478465353024513221", "206022478088870697769046647787008760564", "216095244516550820119455808353224037846", "46142714263656663437914612207197745209", "15088390182960363056546331595655444257", "234182045088025048292414092125412433047", "255272807197668761160103392865329307400", "117362707116158116788652207123491886620", "292421547288413531568142709484731301692", "304976113980423471330374207259607813425" ] }, "id": "CVE-2022-23708-7138c559" }, { "signature_type": "Function", "deprecated": false, "source": "https://github.com/elastic/elasticsearch/commit/e5acb99f822233d62d6444ce45a4543dc1c8059a", "signature_version": "v1", "target": { "function": "deprecatedAffixSetting", "file": "x-pack/plugin/deprecation/src/main/java/org/elasticsearch/xpack/deprecation/NodeDeprecationChecks.java" }, "digest": { "function_hash": "1789796353482668074025554634844605557", "length": 1194.0 }, "id": "CVE-2022-23708-7b0c41ec" } ]