CVE-2024-23445

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23445

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23445.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23445

Aliases

BIT-elasticsearch-2024-23445

Downstream

UBUNTU-CVE-2024-23445

Related

Published

2024-06-12T14:15:10Z

Modified

2025-10-21T02:35:06Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned.

This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0

References

https://discuss.elastic.co/t/elasticsearch-8-14-0-security-update-esa-2024-13/360898

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

e338da74c79465dfdc204971e600342b0aa87b6b

Fixed

8d96bbe3bf5fed931f3119733895458eab75dca9