Description

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Remediation

References

https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344

https://security.netapp.com/advisory/ntap-20211008-0002/

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2022-25873 Vulnerability in maven package org.webjars.npm:vuetify

CVE-2023-46131 Vulnerability in maven package org.grails:grails-web-common

CVE-2022-1295 Vulnerability in npm package fullpage.js

CVE-2023-46497 Vulnerability in npm package @evershop/evershop

CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory