CVE-2024-12539

EPSS 0.37%

Elasticsearch Incorrect Authorization vulnerability

Published: 12/17/2024Modified: 2/4/2026

Also known as:GHSA-5mpw-4546-2wcrBIT-elasticsearch-2024-12539CGA-q86m-5pj3-q6jg

Description

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

Affected packages (2)

Bitnami/elasticsearch>= 8.16.0, < 8.17.0
Maven/org.elasticsearch:elasticsearch>= 8.16.0, < 8.16.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-12539
PATCHhttps://github.com/elastic/elasticsearch
WEBhttps://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091