CVE-2024-23447

An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687	Vendor Advisory
https://www.elastic.co/community/security	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:elastic:network_drive_connector:*:*:*:*:*:*:*:*

History

14 Feb 2024, 20:02

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:elastic:network_drive_connector::::::::
CWE		NVD-CWE-Other
First Time		Elastic Elastic network Drive Connector
References	~~() https://www.elastic.co/community/security -~~	() https://www.elastic.co/community/security - Vendor Advisory
References	~~() https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687 -~~	() https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687 - Vendor Advisory

07 Feb 2024, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-07 04:15

Updated : 2024-02-28 20:54

NVD link : CVE-2024-23447

Mitre link : CVE-2024-23447

CVE.ORG link : CVE-2024-23447

JSON object : View

Products Affected

elastic

network_drive_connector

CWE

NVD-CWE-Other CWE-284

Improper Access Control

{"id": "CVE-2024-23447", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "bressers@elastic.co", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.6}]}, "published": "2024-02-07T04:15:07.687", "references": [{"url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687", "tags": ["Vendor Advisory"], "source": "bressers@elastic.co"}, {"url": "https://www.elastic.co/community/security", "tags": ["Vendor Advisory"], "source": "bressers@elastic.co"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "bressers@elastic.co", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Windows Network Drive Connector al utilizar la seguridad a nivel de documento para asignar permisos a un archivo, con permiso expl\u00edcito de escritura y denegaci\u00f3n de lectura. Aunque el usuario no puede acceder al documento en Network Drive, s\u00ed lo puede ver en las aplicaciones de b\u00fasqueda."}], "lastModified": "2024-02-14T20:02:00.753", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elastic:network_drive_connector:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5E54B7D-6061-43A3-BDF9-121F4A356E99", "versionEndExcluding": "8.12.1"}], "operator": "OR"}]}], "sourceIdentifier": "bressers@elastic.co"}