Vulnerability DatabaseCVE-2024-23451
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-23451
March 27, 2024
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.
Affected Packages
org.elasticsearch:elasticsearch (JAVA):
Affected version(s) >=8.10.0 <8.13.0
Fix Suggestion:
Update to version 8.13.0
Related Resources (3)
https://discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315
https://nvd.nist.gov/vuln/detail/CVE-2024-23451
https://github.com/elastic/elasticsearch
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Incorrect Authorization
CWE-863
EPSS
Base Score:
0.18