CVE-2021-37937

State: PUBLISHED · Published: 2023-11-22 · Updated: 2024-08-04 · Assigner: elastic

Description

An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.

CWE

CWE-269 — CWE-269: Improper Privilege Management

Affected

Elastic / Elasticsearch — v=7.13.0 <7.14.0 [affected]

CVSS

3.1 score=5.9 severity=MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

References

https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077
https://www.elastic.co/community/security

Source

cvelistV5-main/cves/2021/37xxx/CVE-2021-37937.json