Elasticsearch 8.16.2 / 8.17.0 Security Update

Elasticsearch Incorrect Authorization (ESA-2024-46)

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

This issue only affects users that are making use of Document Level Security features in Elasticsearch.

The issue was discovered and responsibly disclosed to Elastic. Elastic has no indication that this issue is widely known or exploited.

Affected Versions:
Elasticsearch 8.16.0 and 8.16.1.

Solutions and Mitigations:
The issue is resolved in version 8.16.2 and 8.17.0

Severity: CVSSv4.0: 6 (Medium) CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CVE ID: CVE-2024-12539