Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions (ESA-2024-13)
It was identified that if a cross-cluster API key restricts search for a given index using the query
or the field_security
parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned.
This issue only affects the API key based security model for remote clusters that was previously a beta feature and is released as GA with 8.14.0
We would like to thank René Kalff for bringing this issue to our attention.
Affected Versions:
Elasticsearch version on or after 8.10.0 and before 8.14.0
Solutions and Mitigations:
The issue is resolved in version 8.14.0.
Severity: CVSSv3: 6.5(Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2024-23445