Elasticsearch Security versions 6.4.0 to 6.4.2 contain an error in the way request headers are applied to requests when using the Active Directory, LDAP, Native, or File realms. A request may receive headers intended for another request if the same username is being authenticated concurrently; when used with run as, this can result in the request running as the incorrect user. This could allow a user to access information that they should not have access to.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.elasticsearch:elasticsearch(Maven) | 6.4.0 | 6.4.3 | N/A |
CVSS Metrics
