Lucene search
K

204 matches found

OSV
OSV
added 2024/03/06 10:54 a.m.18 views

BIT-ELASTICSEARCH-2020-7019

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attack...

6.5CVSS6.2AI score0.01204EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 10:54 a.m.35 views

BIT-ELASTICSEARCH-2020-7020

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documen...

3.5CVSS3.6AI score0.00999EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2024/02/09 12:0 a.m.67 views

Kibana 8.0.x < 8.12.1 (ESA-2024-01)

The version of Kibana installed on the remote host is prior to 8.12.1. It is, therefore, affected by a vulnerability as referenced in the ESA-2024-01 advisory. - An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document- level security DLS or Field-leve...

6.5CVSS6.5AI score0.005EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2024/02/08 3:21 a.m.7 views

SUSE CVE-2024-23446

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security DLS or Field-level security FLS when querying the .alerts-security.alerts-spaceid indices. Users who are authorized to call this API may obtain unauthorized access to documents if...

6.5CVSS7AI score0.005EPSS
Exploits0References3
NVD
NVD
added 2024/02/07 4:15 a.m.26 views

CVE-2024-23446

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security DLS or Field-level security FLS when querying the .alerts-security.alerts-spaceid indices. Users who are authorized to call this API may obtain unauthorized access to documents if...

6.5CVSS6.5AI score0.005EPSS
Exploits0References2
CVE
CVE
added 2024/02/07 3:16 a.m.113 views

CVE-2024-23446

CVE-2024-23446 pertains to Kibana’s Detection Engine Search API failing to enforce Document-level security (DLS) and Field-level security (FLS) on .alerts-security.alerts-{space_id} indices. The issue allows users with API access and DLS/FLS-enabled roles to potentially read unauthorized document...

6.5CVSS6.4AI score0.005EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2024/02/07 3:16 a.m.23 views

CVE-2024-23446 Kibana Broken Access Control issue

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security DLS or Field-level security FLS when querying the .alerts-security.alerts-spaceid indices. Users who are authorized to call this API may obtain unauthorized access to documents if...

6.5CVSS6.7AI score0.005EPSS
Exploits0References2
OSV
OSV
added 2024/02/07 3:16 a.m.6 views

CVE-2024-23446 Kibana Broken Access Control issue

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security DLS or Field-level security FLS when querying the .alerts-security.alerts-spaceid indices. Users who are authorized to call this API may obtain unauthorized access to documents if...

6.5CVSS6.6AI score0.005EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/02/06 12:0 a.m.8 views

PT-2024-1691 · Elastic · Kibana

Name of the Vulnerable Software and Affected Versions: Kibana affected versions not specified Description: The issue is related to insufficient access control in the Kibana data visualization service. It allows a remote attacker to impact the confidentiality of protected information. Specifically...

6.8CVSS6.3AI score0.005EPSS
Exploits0References10
Veracode
Veracode
added 2023/11/21 5:45 a.m.17 views

Improper Authorization

strapi-plugin-protected-populate is vulnerable to Improper Authorization. The vulnerability is due to the protectPopulate function of protect-route.js, which allows a users to populate fields they don't have access, resulting in field-level security bypass...

5.3CVSS7AI score0.00601EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2023/11/20 12:0 a.m.4 views

PT-2023-30736 · Strapi · Strapi Protected Populate Plugin

Name of the Vulnerable Software and Affected Versions: Strapi Protected Populate Plugin versions prior to 1.3.4 Description: The issue allows users to bypass field level security, enabling them to populate fields they do not have access to. This affects get endpoints, which are protected by the...

5.3CVSS5AI score0.00601EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 2023/09/15 6:57 p.m.13 views

CVE-2023-37263 Strapi's field level permissions not being respected in relationship title

Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible...

6.8CVSS6.6AI score0.00534EPSS
Exploits1References2
CVE
CVE
added 2023/09/15 6:57 p.m.105 views

CVE-2023-37263

CVE-2023-37263 affects Strapi (open-source headless CMS). The issue: field-level permissions are not respected in the relationship title, causing a field the user should not see to be visible when a relation includes that field. Impact is described as information disclosure under older releases. ...

6.8CVSS5AI score0.00534EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2023/09/15 7:36 a.m.13 views

Improper Authorization

@strapi/plugin-content-manager is vulnerable to Improper Authorization. The vulnerability is due to Field level permissions not being respected in the relationship title, as there are no RBAC permission checks to read the field in relations.js...

6.8CVSS6.6AI score0.00534EPSS
Exploits1References4Affected Software1
Redos
Redos
added 2023/06/15 12:0 a.m.18 views

ROS-20230615-02

The vulnerability of the OpenSearch software package is related to the implementation of detailed access control rules document-level security, field-level security, and field masking when they were incorrectly applied to queries during extremely rare runtime conditions. Exploitation of the of th...

5.9CVSS5.9AI score0.0046EPSS
Exploits0
CNNVD
CNNVD
added 2023/05/08 12:0 a.m.19 views

OpenSearch 安全漏洞

OpenSearch Project is OpenSearch Project open source a community-driven, Apache 2.0 licensed open source search and analytics suite. Making it easy to access, search, visualize and analyze data. A security vulnerability exists in OpenSearch versions 1.3.10 and 2.7.0 that stems from a problem with...

5.9CVSS5.8AI score0.0046EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2023/02/15 4:45 a.m.5 views

SUSE CVE-2017-8449

X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index...

5.9CVSS5.9AI score0.00834EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 4:15 a.m.6 views

SUSE CVE-2019-7611

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the aliases, shrink, or split endpoints are used . If the elasticsearch.yml file has xpack.security.dlsfls.enabled set to false, certain permission...

8.1CVSS6.7AI score0.02149EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 4:2 a.m.4 views

SUSE CVE-2020-7020

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documen...

3.5CVSS6.7AI score0.00999EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/02/15 4:2 a.m.5 views

SUSE CVE-2020-7019

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attack...

6.5CVSS7.2AI score0.01204EPSS
Exploits0References3
Rows per page
Query Builder