Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient
  restrictions (ESA-2024-13)

   It was identified that if a cross-cluster API key restricts search for a
   given index using the query or the field_security parameter, and the same
   cross-cluster API key also grants replication for the same index, the
   search restrictions are not enforced during cross cluster search
   operations and search results may include documents and terms that should
   not be returned.

   This issue only affects the API key based security model for remote
   clusters that was previously a beta feature and is released as GA with
   8.14.0

   We would like to thank René Kalff for bringing this issue to our
   attention.

  Affected Versions:

   Elasticsearch version on or after 8.10.0 and before 8.14.0

  Solutions and Mitigations:

   The issue is resolved in version 8.14.0.

   Severity: CVSSv3: 6.5(Medium) -
   CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

   CVE ID: CVE-2024-23445

   1 post - 1 participant

   Read full topic

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23445
https://bugzilla.redhat.com/show_bug.cgi?id=2290705