HIGHβœ“ PATCHπŸ‡΅πŸ‡± Wersja polska

CVE-2025-37736

CVSS 8.8v3.1pub. 2025-11-07upd. 2025-12-11

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name}

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Elastic Cloud Enterprise

    APP
    Elastic
    3.8.0 – 3.8.3 (bez)4.0.0 – 4.0.3 (bez)
🟒
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2025-37729CRITICAL9.1PL βœ“ten sam produkt

Elastic Cloud Enterprise β€” Server-Side Template Injection (SSTI) w silniku Jinjava

CVE-2024-37282HIGH8.1ten sam produkt

It was identified that under certain specific preconditions, an API key that was originally created with a spe...

CVE-2023-31418HIGH7.5ten sam produkt

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...

CVE-2018-3828HIGH7.5ten sam produkt

Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 contain an information exposure vulnerability. It was d...

CVE-2022-23716MEDIUM5.3ten sam produkt

A flaw was discovered in ECE before 3.1.1 that could lead to the disclosure of the SAML signing private key us...

CVE-2025-37736 β€” Elastic β€” Elastic Cloud Enterprise β€” HIGH β€” CVSS 8.8 | CVEbaza.pl