IBM Watson CP4D Data Stores update for Elastic Elasticsearch
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2024-23451 |
| CWE-ID | CWE-285 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Watson CP4D Data Stores Other software / Other software solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper Authorization
EUVDB-ID: #VU91267
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-23451
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to improper authorization within the API key based security model for Remote Cluster Security. A remote user with a valid API key for a remote cluster configured to use new Remote Cluster Security can read arbitrary documents from any index on the remote cluster, if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID.
Install update from vendor's website.
Vulnerable software versionsWatson CP4D Data Stores: before 5.0.3
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/7171984
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
