How severe is CVE-2024-23445?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-23445?

This is classified as CWE-922, which is a common weakness in software security.

CVE-2024-23445 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0

Related Vulnerabilities

CVE-2018-13313

MEDIUM

CVSS:6.5(Medium)

In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the user to change their account name and password. This page, password.htm, contains JavaScript which is used to confirm the user kno...

CWE-9222018

CVE-2019-5632

MEDIUM

CVSS:6.5(Medium)

An insecure storage of sensitive information vulnerability is present in Hickory Smart for Android mobile devices from Belwith Products, LLC. The application's database was found to contain informatio...

CWE-9222019

CVE-2019-5633

MEDIUM

CVSS:6.5(Medium)

An insecure storage of sensitive information vulnerability is present in Hickory Smart for iOS mobile devices from Belwith Products, LLC. The application's database was found to contain information th...

CWE-9222019

CVE-2020-28911

MEDIUM

CVSS:6.5(Medium)

Incorrect Access Control in Nagios Fusion 4.1.8 and earlier allows low-privileged authenticated users to extract passwords used to manage fused servers via the test_server command in ajaxhelper.php.

CWE-9222020

CVE-2021-25406

MEDIUM

CVSS:6.5(Medium)

Information exposure vulnerability in Gear S Plugin prior to version 2.2.05.20122441 allows unstrusted applications to access connected BT device information.

CWE-9222021

CVE-2021-28653

MEDIUM

CVSS:6.5(Medium)

The iOS and macOS apps before 1.4.1 for the Western Digital G-Technology ArmorLock NVMe SSD store keys insecurely. They choose a non-preferred storage mechanism if the device has Secure Enclave suppor...

CWE-9222021