Описание
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned.
This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0
A flaw was found in Elasticsearch. If a cross-cluster API key restricts the search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross-cluster search operations. Search results may include documents and terms that should not be returned.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/fluentd-rhel8 | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| Red Hat OpenStack Platform 16.1 | openstack-panko | Not affected | ||
| Red Hat OpenStack Platform 16.2 | openstack-panko | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0
It was identified that if a cross-cluster API key https://www.elastic ...
Уязвимость реализации прикладного программного интерфейса поисковой системы Elasticsearch, позволяющая нарушителю раскрыть защищаемую информацию
6.5 Medium
CVSS3