CVE-2023-46666 MEDIUM

CVE-2023-46666: Elastic Sharepoint Online Python Connector Improper Access Control

Vendor Elastic

Product Elastic Sharepoint Online Python Connector

Weakness CWE-284

Published October 26, 2023

Last update September 9, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

Description

An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.

Key dates

Disclosure timeline

October 26, 2023 CVE published

September 9, 2024 Record updated

Identifiers

CVE CVE-2023-46666

CWE CWE-284

CVSS 5.3 / MEDIUM

Affected versions

Vendor Elastic

Product Elastic Sharepoint Online Python Connector

Affected <8.10.3.0