Kibana Broken Access Control issue (ESA-2024-01)
An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.
Affected Versions:
Kibana 8.x versions prior to 8.12.1
Affected Configurations:
This issue only affects users that have assigned a role with DLS or FLS configured, users using KPI or group by feature on the alerts page or API users accessing the route directly.
Solutions and Mitigations:
The issue is resolved in version 8.12.1
Severity: CVSSv3: 6.5 (Medium) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2024-23446