CVE-2024-23451 — Incorrect Authorization in Elasticsearch

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

6.5MEDIUMNVD

CNA4.4

EPSS

0.3%

top 43.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Elasticsearch

Timeline

PublishedMar 27

Description

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document I…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5elastic/elasticsearch8.10.0 — 8.13.0

▶NVDelastic/elasticsearch8.10.0 — 8.13.0

🔴Vulnerability Details

CVEList

Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model↗2024-03-27

▶

GHSA

Elasticsearch Incorrect Authorization vulnerability↗2024-03-27

▶

OSV

Elasticsearch Incorrect Authorization vulnerability↗2024-03-27

▶

OSV

CVE-2024-23451: Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8↗2024-03-27

▶

📋Vendor Advisories

Red Hat

elasticsearch: Incorrect authorization issue in Remote Cluster Security↗2024-03-27

▶