Lucene search

ElasticCVELIST:CVE-2023-46666

HistoryOct 26, 2023 - 4:16 p.m.

CVE-2023-46666 Elastic Sharepoint Online Python Connector Improper Access Control

2023-10-2616:16:10

CWE-284

elastic

www.cve.org

cve-2023-46666

document level security

limited access

sharepoint

elasticsearch

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

An issue was discovered when using Document Level Security and the SPO “Limited Access” functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Elastic Sharepoint Online Python Connector",
    "vendor": "Elastic",
    "versions": [
      {
        "status": "affected",
        "version": "<8.10.3.0"
      }
    ]
  }
]

References

discuss.elastic.co/t/elastic-sharepoint-online-python-connector-v8-10-3-0-security-update/344732

www.elastic.co/community/security

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

Related for CVELIST:CVE-2023-46666