CVE-2022-23708
Description
A flaw was discovered in Elasticsearch 7.17.0’s upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “*” index permissions access to this index.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elasticsearch upgrade assistant flaw allows authenticated users with '*' index permissions to access the security index, leading to privilege escalation.
Vulnerability
In Elasticsearch 7.17.0, the upgrade assistant disables built-in protections on the security index when upgrading from version 6.x to 7.x. This affects clusters running versions 7.16.0 through 7.17.0 that were upgraded from 6.x. [1][2]
Exploitation
An authenticated user with "*" index permissions can exploit this flaw by accessing the security index, which normally contains sensitive data like password hashes and roles. The attacker must have network access to the cluster and valid credentials with the required permissions. No additional privileges are needed. [2]
Impact
The attacker gains unauthorized read access to the security index, potentially exposing sensitive information such as user credentials, role definitions, and security configurations. This could lead to privilege escalation and full cluster compromise, affecting both confidentiality and integrity of the system. [1][2]
Mitigation
Elasticsearch 7.17.1 fixes the issue. Users running an affected version that was upgraded from 6.x should upgrade to 7.17.1 immediately. If planning a new upgrade from 6.x, use version 7.17.1 or later. No other workaround is available. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | >= 7.16.0, < 7.17.1 | 7.17.1 |
Affected products
3- osv-coords2 versions
>= 7.16.0, < 7.17.1+ 1 more
- (no CPE)range: >= 7.16.0, < 7.17.1
- (no CPE)range: >= 7.16.0, < 7.17.1
- Range: Versions 7.16.0 through 7.17.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pgq6-ccqj-hpqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23708ghsaADVISORY
- discuss.elastic.co/t/elastic-stack-7-17-1-security-update/298447ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220729-0003ghsaWEB
- security.netapp.com/advisory/ntap-20220729-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.