2271929 – (CVE-2024-23451) CVE-2024-23451 elasticsearch: Incorrect authorization issue in Remote Cluster Security

Bug 2271929 (CVE-2024-23451) - CVE-2024-23451 elasticsearch: Incorrect authorization issue in Remote Cluster Security

Summary: CVE-2024-23451 elasticsearch: Incorrect authorization issue in Remote Cluster...

Keywords:
Status:	NEW
Alias:	CVE-2024-23451
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2271930 2271931
Blocks:	2271932
TreeView+	depends on / blocked

Reported:	2024-03-27 19:12 UTC by Marco Benatto
Modified:	2025-03-17 23:44 UTC (History)
CC List:	15 users (show)
Fixed In Version:	elasticsearch-8.13.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-03-27 19:12:43 UTC

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

https://discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315

Note You need to log in before you can comment on or make changes to this bug.