Home > Vulnerability Database > CVE-2024-23451

Mend.io Vulnerability Database

CVE-2024-23451

Good to know:

Date: March 27, 2024

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

Language: Java

Severity Score

8.6

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-23451

Url: https://discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315

Url: https://www.mend.io/vulnerability-database/CVE-2024-23451

Severity Score

8.6

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version org.elasticsearch:elasticsearch:8.13.0

Learn More

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-23451

Good to know:

Date: March 27, 2024

Language: Java

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?