Base Score

MEDIUM6.5

CVE-2024-12539

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.

VectorNETWORK

Published Bysecurity@elastic.co

Published DateDec 17, 2024, 21:15

Affected Versions(1)

org.elasticsearch:elasticsearch(Maven)

Introduced8.16.0

Fixed8.16.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.elasticsearch:elasticsearch(Maven)	8.16.0	8.16.2	N/A

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

References

https://discuss.elastic.co/t/elasticsearch-8-16-2-8-17-0-security-update/372091

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-863

CVSS Metrics

Base Score

Vector String

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Base Severity

MEDIUM

Version

4.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)