Description

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

Remediation

References

https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3

https://search-guard.com/cve-advisory/

Related Vulnerabilities

CVE-2022-27200 Vulnerability in maven package io.jenkins.plugins:folder-auth

CVE-2022-28355 Vulnerability in maven package org.scala-js:scalajs-library_2.12

CVE-2020-2283 Vulnerability in maven package org.jenkins-ci.plugins:liquibase-runner

CVE-2023-43499 Vulnerability in maven package com.sonyericsson.jenkins.plugins.bfa:build-failure-analyzer

CVE-2023-46652 Vulnerability in maven package org.jenkins-ci.plugins:lambdatest-automation

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Release Notes Vendor Advisory NVD-CWE-Other