Bug 1758535 (CVE-2019-13415)

Summary: CVE-2019-13415 search-guard: authenticated users can gain read access to data they are not authorized to see
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, jburrell, jcantril, jokerman, nstielau, sponnaga
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:49:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1760649, 1760650, 1760651, 1760652, 1760653, 1760654, 1760655    
Bug Blocks: 1758536    

Description Guilherme de Almeida Suckevicz 2019-10-04 13:14:19 UTC 
Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.

References:
https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3
https://search-guard.com/cve-advisory/
Comment 1 Jason Shepherd 2019-10-09 04:53:59 UTC 
Use of Cross Cluster Search is not supported in all versions of OpenShift.
Comment 2 Product Security DevOps Team 2019-10-09 06:51:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13415