Medium severity5.3NVD Advisory· Published Aug 18, 2017· Updated May 13, 2026

CVE-2017-8446

Description

The Reporting feature in X-Pack in versions prior to 5.5.2 and standalone Reporting plugin versions versions prior to 2.4.6 had an impersonation vulnerability. A user with the reporting_user role could execute a report with the permissions of another reporting user, possibly gaining access to sensitive data.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch.plugin:x-packMaven	< 5.5.2	5.5.2

Affected products

Elasticsearch/X Pack
cpe:2.3:a:elasticsearch:x-pack:*:*:*:*:*:*:*:*
Range: <=5.5.1
Elasticsearch/X Pack Reporting
cpe:2.3:a:elasticsearch:x-pack_reporting:*:*:*:*:*:*:*:*
Range: <=2.4.5
Elastic/Elastic X-Pack Reportingv5
Range: Before 5.5.2 and 2.4.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m728-qvxh-xfjqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-8446ghsaADVISORY
www.elastic.co/community/securitynvdVendor AdvisoryWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000