CVE-2024-23446

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-23446

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23446.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23446

Published

2024-02-07T04:15:07.470Z

Modified

2026-03-14T12:31:19.350321Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.

References

Affected packages

Git / github.com/elastic/kibana

Affected ranges

Type

GIT

Repo

https://github.com/elastic/kibana

Events

Introduced

57ca5e139a33dd2eed927ce98d8231a1f217cd15

Fixed

3457f326b763887d154c9da00bd4e489221a2ff3

Database specific

{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.12.1"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23446.json"