216.73.217.22

CVE-2025-37736

· Published 07/11/2025 23:15 · Modified 11/12/2025 21:00

Labels: CVE-2025-37736 2025-11-07CVE-2025-37736CWE-863[email protected][email protected]

Essential information

Published
07/11/2025 23:15
Modified
11/12/2025 21:00
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by this issue is: post:/platform/configuration/security/service-accounts delete:/platform/configuration/security/service-accounts/{user_id} patch:/platform/configuration/security/service-accounts/{user_id} post:/platform/configuration/security/service-accounts/{user_id}/keys delete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id} patch:/user post:/users post:/users/auth/keys delete:/users/auth/keys delete:/users/auth/keys/_all delete:/users/auth/keys/{api_key_id} delete:/users/{user_id}/auth/keys delete:/users/{user_id}/auth/keys/{api_key_id} delete:/users/{user_name} patch:/users/{user_name}

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
elastic / elastic cloud enterprise cpe:2.3:a:elastic:elastic_cloud_enterprise:*:*:*:*:*:*:*:*
elastic / elastic cloud enterprise cpe:2.3:a:elastic:elastic_cloud_enterprise:*:*:*:*:*:*:*:*

References