Description

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Remediation

References

https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344

https://security.netapp.com/advisory/ntap-20211008-0002/

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2022-48285 Vulnerability in npm package jszip

CVE-2021-22964 Vulnerability in npm package fastify-static

CVE-2023-35145 Vulnerability in maven package org.jenkins-ci.plugins:sonargraph-integration

CVE-2023-28155 Vulnerability in maven package org.webjars.bower:request

CVE-2020-17527 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory