CVE-2022-23708

Description

A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index. Users running a cluster on an affected version that had previously been upgraded from 6.x, should upgrade to 7.17.1. Users that are planning to upgrade from 6.x should not perform an upgrade from 6.x to versions 7.16 through 7.17.0 and should use 7.17.1+ for upgrades from 6.x.

How to fix CVE-2022-23708

To remediate CVE-2022-23708, upgrade the affected package to a fixed version below.

• —upgrade to 7.17.1 or later
• —upgrade to 7.17.1 or later

Is CVE-2022-23708 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 7.16.0, < 7.17.1
• >= 7.16.0, < 7.17.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23708
• WEBdiscuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447
• WEBsecurity.netapp.com/advisory/ntap-20220729-0003
• WEBsecurity.netapp.com/advisory/ntap-20220729-0003/