Bug 2290705 (CVE-2024-23445) - CVE-2024-23445 elasticsearch: Remote Cluster Search Cross Cluster API Key insufficient restrictions
Summary: CVE-2024-23445 elasticsearch: Remote Cluster Search Cross Cluster API Key ins...
Keywords:
Status: NEW
Alias: CVE-2024-23445
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2290704
TreeView+ depends on / blocked
 
Reported: 2024-06-06 10:53 UTC by Rohit Keshri
Modified: 2025-03-17 23:44 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-06-06 10:53:27 UTC 
Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient
  restrictions (ESA-2024-13)

   It was identified that if a cross-cluster API key restricts search for a
   given index using the query or the field_security parameter, and the same
   cross-cluster API key also grants replication for the same index, the
   search restrictions are not enforced during cross cluster search
   operations and search results may include documents and terms that should
   not be returned.

   This issue only affects the API key based security model for remote
   clusters that was previously a beta feature and is released as GA with
   8.14.0

   We would like to thank René Kalff for bringing this issue to our
   attention.

  Affected Versions:

   Elasticsearch version on or after 8.10.0 and before 8.14.0

  Solutions and Mitigations:

   The issue is resolved in version 8.14.0.

   Severity: CVSSv3: 6.5(Medium) -
   CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

   CVE ID: CVE-2024-23445

   1 post - 1 participant

   Read full topic
Note You need to log in before you can comment on or make changes to this bug.