#VU93636 Improper access control in Elastic connectors - CVE-2024-23447
Published: July 2, 2024
Vulnerability identifier: #VU93636
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23447
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Elastic connectors
Elastic connectors
Software vendor:
Elastic Stack
Elastic Stack
Description
The vulnerability allows a remote user to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.
Remediation
Install updates from vendor's website.