Auth bypass in Elastic X-pack Security

CVE-2018-3822

X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Pro…

Vulnerability class: Broken Authentication

EPSS: 0.006 (68.8th percentile) — read the EPSS interpretation.

Affected products

Elastic X-pack Security — versions 6.2.0, 6.2.1, and 6.2.2

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

discuss.elastic.co/t/elastic-stack-6-2-3-security-update/124848 (x_refsource_CONFIRM)