Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users can gain read access to data they are not authorized to see.
Vector
NETWORK
Complexity
MEDIUM
Authentication
SINGLE_INSTANCE
Confidentiality
PARTIAL
Integrity
NONE
Availability
NONE
Search-guard Search guard 22.3 (not an official CPE)
Search-guard Search guard 21.0 (not an official CPE)
Search-guard Search guard 6.5.3-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.5.1-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.4.3-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.4.2-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.4.1-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.4.0-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.4.0-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.2-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.2-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.2-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.1-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.1-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.1-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.0-16 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.3.0-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.4-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.4-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.3-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.3-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.2-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.2-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.1-15 ~~~kibana~~ (not an official CPE)
Search-guard Search guard 6.2.1-14 ~~~kibana~~ (not an official CPE)
Search-guard Search guard - (not an official CPE)
Search-guard Search guard 23.0 (not an official CPE)
Search-guard Search guard 23.1 (not an official CPE)
Search-guard Search guard 23.2 (not an official CPE)
Search-guard Search guard 24.0 (not an official CPE)
Search-guard Search guard 24.1 (not an official CPE)
Search-guard Search guard 24.2 (not an official CPE)
Advisory | Patch | Confirmed | Link |
---|---|---|---|
https://docs.search-guard.com/6.x-25/changelog-searchgua... | |||
https://search-guard.com/cve-advisory/ |
Improper Authorization (ID 285)
Related CAPEC 13
Accessing Functionality Not Properly Constrained by ACLs (CAPEC-ID 1)
Cross Zone Scripting (CAPEC-ID 104)
Directory Indexing (CAPEC-ID 127)
Subverting Environment Variable Values (CAPEC-ID 13)
Accessing, Modifying or Executing Executable Files (CAPEC-ID 17)
Manipulating Opaque Client-based Data Tokens (CAPEC-ID 39)
Buffer Overflow via Symbolic Links (CAPEC-ID 45)
Poison Web Service Registry (CAPEC-ID 51)
Session Credential Falsification through Prediction (CAPEC-ID 59)
Reusing Session IDs (aka Session Replay) (CAPEC-ID 60)
Manipulating Input to File System Calls (CAPEC-ID 76)
Manipulating User-Controlled Variables (CAPEC-ID 77)
Forceful Browsing (CAPEC-ID 87)