X-Pack Security permission issue (ESA-2017-18)
An error was found in the X-Pack Security privilege enforcement. If a user has either ‘delete’ or ‘index’ permissions on an index in a cluster, they may be able to issue both delete and index requests against that index.
Previously if a user had bulk permission on an index they were able to also delete documents. This was an unintended consequence of this bug. After this fix is applied the delete permission must be explicitly granted to any users requiring this functionality.
Affected Versions: 5.3.0 to 5.5.2
Solutions and Mitigations:
X-Pack Security users should upgrade to version 5.6.0 or 5.5.3. If you cannot upgrade immediately you can workaround this issue by removing the ‘delete’ and ‘index’ permission from untrusted users.
CVE ID: CVE-2017-8447