An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.
References
Link | Resource |
---|---|
https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 | Vendor Advisory |
https://www.elastic.co/community/security | Vendor Advisory |
https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 | Vendor Advisory |
https://www.elastic.co/community/security | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:57
Type | Values Removed | Values Added |
---|---|---|
References | () https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 - Vendor Advisory | |
References | () https://www.elastic.co/community/security - Vendor Advisory |
14 Feb 2024, 20:10
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CWE | NVD-CWE-Other | |
References | () https://www.elastic.co/community/security - Vendor Advisory | |
References | () https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 - Vendor Advisory | |
First Time |
Elastic
Elastic kibana |
|
CPE | cpe:2.3:a:elastic:kibana:*:*:*:*:*:*:*:* |
07 Feb 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-07 04:15
Updated : 2024-11-21 08:57
NVD link : CVE-2024-23446
Mitre link : CVE-2024-23446
CVE.ORG link : CVE-2024-23446
JSON object : View
Products Affected
elastic
- kibana
CWE