Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-23445

Date: June 12, 2024

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body  restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models  that was previously a beta feature and is released as GA with 8.14.0

Language: Java

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2024-23445
https://discuss.elastic.co/t/elasticsearch-8-14-0-security-update-esa-2024-13/360898
https://github.com/elastic/elasticsearch/commit/7d522145def78ac55146eaf429d761d961ed1d42
https://www.mend.io/vulnerability-database/CVE-2024-23445

Severity Score

Weakness Type (CWE)

Insecure Storage of Sensitive Information

CWE-922

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us