CVE-2024-23451 MEDIUM

CVE-2024-23451: Elasticsearch Incorrect Authorization in the Remote Cluster Security API key based security model

Vendor Elastic
Product Elasticsearch
Weakness CWE-863 · Incorrect authorization
Published March 27, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.

Key dates

02Disclosure timeline

March 27, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7387 Mattermost group syncable endpoints allow privilege escalation via scheme_admin CVE-2026-35555 Subnet Solutions PowerSYSTEM Center Incorrect Authorization CVE-2026-43948 wger: cross-tenant password reset and plaintext disclosure via gym=None bypass CVE-2026-40350 Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts CVE-2026-33014 EVerest has Delayed Authorization Response Bypasses Termination After RemoteStop