|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2024-23446: kibana: Broken Access Control issue (ESA-2024-01) | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | SMASH SMASH <smash_bz> |
| Component: | Incidents | Assignee: | Cloud Bugs <cloud-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | thomas.leroy |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/393323/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Only Kibana 8.x affected. Closing. |
An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23446 https://www.cve.org/CVERecord?id=CVE-2024-23446 https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 https://www.elastic.co/community/security