Lucene search

ElasticCVE-2024-23447

HistoryFeb 07, 2024 - 4:15 a.m.

CVE-2024-23447

2024-02-0704:15:07

CWE-284

elastic

web.nvd.nist.gov

cve-2024-23447

windows

network drive connector

document level security

nvd

file permissions

search applications.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.

Affected configurations

Nvd

Node

elasticnetwork_drive_connectorRange<8.12.1

VendorProductVersionCPE
elasticnetwork_drive_connector*cpe:2.3:a:elastic:network_drive_connector:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
elastic	network_drive_connector	*	cpe:2.3:a:elastic:network_drive_connector::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Elastic Network Drive Connector",
    "vendor": "Elastic",
    "versions": [
      {
        "lessThan": "8.12.1",
        "status": "affected",
        "version": "8.11.0",
        "versionType": "semver"
      }
    ]
  }
]

References

discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687

www.elastic.co/community/security

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

18.1%

JSON

Related for CVE-2024-23447