Improper access control in Elastic connectors - CVE-2024-23447

 

Improper access control in Elastic connectors - CVE-2024-23447

Published: July 2, 2024


Vulnerability identifier: #VU93636
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-23447
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Elastic Stack
Affected software:
Elastic connectors

Detailed vulnerability description

The vulnerability allows a remote user to gain unauthorized access to sensitive information.

The vulnerability exists due to improper access restrictions in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. A remote user can bypass implemented security restrictions and gain unauthorized access to sensitive information.


How to mitigate CVE-2024-23447

Install updates from vendor's website.

Sources