Moderate severityNVD Advisory· Published Dec 17, 2024· Updated Dec 17, 2024
Elasticsearch Incorrect Authorization
CVE-2024-12539
Description
An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | >= 8.16.0, < 8.16.2 | 8.16.2 |
Affected products
17- osv-coords16 versionspkg:apk/chainguard/elasticsearch-8pkg:apk/chainguard/elasticsearch-8-bitnamipkg:apk/chainguard/elasticsearch-8-configpkg:apk/chainguard/elasticsearch-8-iamguardedpkg:apk/chainguard/elasticsearch-configpkg:apk/chainguard/elasticsearch-fips-8pkg:apk/chainguard/elasticsearch-fips-8-bitnamipkg:apk/chainguard/elasticsearch-fips-8-configpkg:apk/chainguard/elasticsearch-fips-8-policy-140-2pkg:apk/chainguard/elasticsearch-fips-8-policy-140-3pkg:apk/chainguard/ruby3.2-elasticsearchpkg:apk/chainguard/ruby3.3-elasticsearchpkg:apk/wolfi/ruby3.2-elasticsearchpkg:apk/wolfi/ruby3.3-elasticsearchpkg:bitnami/elasticsearchpkg:maven/org.elasticsearch/elasticsearch
< 8.17.0-r0+ 15 more
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: < 8.17.0-r0
- (no CPE)range: >= 8.16.0, < 8.17.0
- (no CPE)range: >= 8.16.0, < 8.16.2
- Range: 8.16.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.