Description

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

Remediation

References

https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3

https://search-guard.com/cve-advisory/

Related Vulnerabilities

CVE-2022-2390 Vulnerability in maven package com.google.android.gms:play-services-basement

CVE-2019-16555 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2023-24455 Vulnerability in maven package io.jenkins.plugins:visualexpert

CVE-2023-46998 Vulnerability in maven package org.webjars.npm:bootbox

CVE-2023-33003 Vulnerability in maven package org.jenkins-ci.plugins:tag-profiler

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Release Notes Vendor Advisory NVD-CWE-Other