Description

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

Remediation

References

https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3

https://search-guard.com/cve-advisory/

Related Vulnerabilities

CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-managesieve

CVE-2021-27578 Vulnerability in maven package org.apache.zeppelin:zeppelin

CVE-2023-31133 Vulnerability in npm package ghost

CVE-2021-22113 Vulnerability in maven package org.springframework.cloud:spring-cloud-netflix-zuul

CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap-sass

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Release Notes Vendor Advisory NVD-CWE-Other