Description

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Remediation

References

https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344

https://security.netapp.com/advisory/ntap-20211008-0002/

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2018-5382 Vulnerability in maven package org.bouncycastle:bcprov-jdk16

CVE-2022-43414 Vulnerability in maven package org.jenkins-ci.plugins:nunit

CVE-2012-4458 Vulnerability in maven package org.apache.qpid:qpid-common

CVE-2022-39366 Vulnerability in maven package io.acryl:datahub-client

CVE-2022-24815 Vulnerability in npm package generator-jhipster

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory