Moderate severityNVD Advisory· Published Mar 27, 2024· Updated Aug 1, 2024

Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model

CVE-2024-23451

Description

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.elasticsearch:elasticsearchMaven	>= 8.10.0, < 8.13.0	8.13.0

Affected products

Elastic/Elasticsearchv5
Range: 8.10.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-r3hx-qfh5-r9m7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-23451ghsaADVISORY
discuss.elastic.co/t/elasticsearch-8-13-0-security-update-esa-2024-07/356315ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000