1758313 – (CVE-2019-13416) CVE-2019-13416 search-guard: authenticated users ignoring their roles on the remote cluster

Bug 1758313 (CVE-2019-13416) - CVE-2019-13416 search-guard: authenticated users ignoring their roles on the remote cluster

Summary: CVE-2019-13416 search-guard: authenticated users ignoring their roles on the ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13416
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1760649 1760650 1760651 1760652 1760653 1760654 1760655
Blocks:	1758314
TreeView+	depends on / blocked

Reported:	2019-10-03 20:10 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-10-27 10:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:49:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-03 20:10:13 UTC

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

References:
https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3
https://search-guard.com/cve-advisory/

Comment 1 Jason Shepherd 2019-10-11 03:29:43 UTC

Use of Cross Cluster Search is not supported in all versions of OpenShift.

Note You need to log in before you can comment on or make changes to this bug.