Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-23445

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0

Published

2024-06-12T14:15:10.963

Last Modified

2025-09-26T23:43:11.980

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-922

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	elastic	elasticsearch	< 8.14.0	Yes

References

https://discuss.elastic.co/t/elasticsearch-8-14-0-security-update-esa-2024-13/360898 Patch ([email protected])
https://discuss.elastic.co/t/elasticsearch-8-14-0-security-update-esa-2024-13/360898 Patch (af854a3a-2127-422b-91ae-364da2661108)