CVE-2024-23446
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-23446
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-23446.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-23446
- Published
- 2024-02-07T04:15:07.470Z
- Modified
- 2025-12-06T00:12:11.939594Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index.
- References
Affected packages
Git / github.com/elastic/elasticsearch
Database specific
vanir_signatures
[
{
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"digest": {
"line_hashes": [
"201606926101981761165198018477399366221",
"68571496898305629436217873761975339552",
"106248183962439458817886600139816741681",
"254487700143949059801556026494769505498",
"87068743167677976748508957386413101640"
],
"threshold": 0.9
},
"id": "CVE-2024-23446-70dad566",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/stats/SearchStats.java"
},
"source": "https://github.com/elastic/elasticsearch/commit/6185ba65d27469afabc9bc951cded6c17c21e3f3"
}
]