Lucene search

[email protected]CVE-2024-23446

HistoryFeb 07, 2024 - 4:15 a.m.

CVE-2024-23446

2024-02-0704:15:07

CWE-284

[email protected]

web.nvd.nist.gov

elastic

cve-2024-23446

security

detection engine

api

unauthorized access

document-level security

field-level security

nvd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.

Affected configurations

NVD

Node

elastickibanaRange8.0.0–8.12.1

CPENameOperatorVersion
elastic:kibanaelastic kibanalt8.12.1

CPE	Name	Operator	Version
elastic:kibana	elastic kibana	lt	8.12.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Kibana",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "8.12.1",
        "status": "affected",
        "version": "8.12.0",
        "versionType": "semver"
      }
    ]
  }
]

References

discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686

www.elastic.co/community/security

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

Related for CVE-2024-23446

prion1 nessus1 cvelist1 nvd1