CVE-2024-23446
Kibana Broken Access Control issue
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.
Elastic descubrió un problema por el cual la API de búsqueda del motor de detección no respeta la seguridad a nivel de documento (DLS) o la seguridad a nivel de campo (FLS) al consultar los índices .alerts-security.alerts-{space_id}. Los usuarios que estén autorizados a llamar a esta API pueden obtener acceso no autorizado a documentos si sus roles están configurados con DLS o FLS contra el índice antes mencionado.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-01-16 CVE Reserved
- 2024-02-07 CVE Published
- 2024-02-15 EPSS Updated
- 2024-08-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://discuss.elastic.co/t/kibana-8-12-1-security-update-esa-2024-01/352686 | 2024-02-14 | |
| https://www.elastic.co/community/security | 2024-02-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Elastic Search vendor "Elastic" | Kibana Search vendor "Elastic" for product "Kibana" | >= 8.0.0 < 8.12.1 Search vendor "Elastic" for product "Kibana" and version " >= 8.0.0 < 8.12.1" | - |
Affected
| ||||||