CVE-2024-12539

EPSS 0.37%

Elasticsearch Incorrect Authorization vulnerability

發布日:2024/12/17修改日:2026/2/4

也稱為:GHSA-5mpw-4546-2wcrBIT-elasticsearch-2024-12539CGA-q86m-5pj3-q6jg

描述

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

受影響套件(2)

Bitnami/elasticsearch>= 8.16.0, < 8.17.0
Maven/org.elasticsearch:elasticsearch>= 8.16.0, < 8.16.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-12539
PATCHhttps://github.com/elastic/elasticsearch
WEBhttps://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091