Description

Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).

Remediation

References

https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3

https://search-guard.com/cve-advisory/

Related Vulnerabilities

CVE-2022-25918 Vulnerability in npm package shescape

CVE-2019-10350 Vulnerability in maven package org.jenkins-ci.plugins:port-allocator

CVE-2020-1744 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2021-39167 Vulnerability in npm package @openzeppelin/contracts

CVE-2020-2223 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-285 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Release Notes Vendor Advisory