CVE-2024-37282 — Improper Authorization in Cloud Enterprise

CWE-285 — Improper Authorization3 documents3 sources

Severity

9.8CRITICALNVD

CNA8.1

EPSS

0.4%

top 39.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Cloud Enterprise

Timeline

PublishedJun 28

Latest updateJan 30

Description

It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5elastic/elastic_cloud_enterprise3.0.0 — 3.7.2

▶NVDelastic/elastic_cloud_enterprise3.0.0 — 3.7.2

🔴Vulnerability Details

GHSA

GHSA-739c-hg26-wf67: It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently u↗2026-01-30

▶

CVEList

CVE-2024-37282: It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently u↗2024-06-28

▶