Bug 1226046 (CVE-2024-23445)

Summary: VUL-0: CVE-2024-23445: elasticsearch: elasticsearch: Remote Cluster Search Cross Cluster API Key insufficient restrictions
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/408901/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23445:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-06-06 14:38:10 UTC 
Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient
  restrictions (ESA-2024-13)

   It was identified that if a cross-cluster API key restricts search for a
   given index using the query or the field_security parameter, and the same
   cross-cluster API key also grants replication for the same index, the
   search restrictions are not enforced during cross cluster search
   operations and search results may include documents and terms that should
   not be returned.

   This issue only affects the API key based security model for remote
   clusters that was previously a beta feature and is released as GA with
   8.14.0

   We would like to thank René Kalff for bringing this issue to our
   attention.

  Affected Versions:

   Elasticsearch version on or after 8.10.0 and before 8.14.0

  Solutions and Mitigations:

   The issue is resolved in version 8.14.0.

   Severity: CVSSv3: 6.5(Medium) -
   CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

   CVE ID: CVE-2024-23445

   1 post - 1 participant

   Read full topic

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23445
https://bugzilla.redhat.com/show_bug.cgi?id=2290705
Comment 1 Andrea Mattiazzo 2024-06-06 14:38:45 UTC 
Closing as all products are not affected.