CVE-2024-23447 - OpenCVE

An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Network Drive Connector

Configuration 1 [-]

cpe:2.3:a:elastic:network_drive_connector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687
https://www.elastic.co/community/security

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2024-02-07T03:46:25.217Z

Updated: 2024-08-01T23:06:24.295Z

Reserved: 2024-01-16T21:31:26.030Z

Link: CVE-2024-23447

Vulnrichment

Updated: 2024-08-01T23:06:24.295Z

NVD

Status : Analyzed

Published: 2024-02-07T04:15:07.687

Modified: 2024-02-14T20:02:00.753

Link: CVE-2024-23447

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23447", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "state": "PUBLISHED", "assignerShortName": "elastic", "dateReserved": "2024-01-16T21:31:26.030Z", "datePublished": "2024-02-07T03:46:25.217Z", "dateUpdated": "2024-08-01T23:06:24.295Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Elastic Network Drive Connector", "vendor": "Elastic", "versions": [{"lessThan": "8.12.1", "status": "affected", "version": "8.11.0", "versionType": "semver"}]}], "datePublic": "2024-02-06T22:23:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user."}], "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2024-02-07T03:46:25.217Z"}, "references": [{"url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687"}, {"url": "https://www.elastic.co/community/security"}], "source": {"discovery": "UNKNOWN"}, "title": "Elastic Network Drive Connector Improper Access Control", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23447", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-07T15:52:35.837568Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:39.020Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:24.295Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687", "tags": ["x_transferred"]}, {"url": "https://www.elastic.co/community/security", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687", "tags": ["x_transferred"]}, {"url": "https://www.elastic.co/community/security", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:06:24.295Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23447", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-07T15:52:35.837568Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:39.545Z"}}], "cna": {"title": "Elastic Network Drive Connector Improper Access Control", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elastic", "product": "Elastic Network Drive Connector", "versions": [{"status": "affected", "version": "8.11.0", "lessThan": "8.12.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "datePublic": "2024-02-06T22:23:00.000Z", "references": [{"url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687"}, {"url": "https://www.elastic.co/community/security"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.", "supportingMedia": [{"type": "text/html", "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic", "dateUpdated": "2024-02-07T03:46:25.217Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23447", "state": "PUBLISHED", "dateUpdated": "2024-08-01T23:06:24.295Z", "dateReserved": "2024-01-16T21:31:26.030Z", "assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "datePublished": "2024-02-07T03:46:25.217Z", "assignerShortName": "elastic"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:network_drive_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5E54B7D-6061-43A3-BDF9-121F4A356E99", "versionEndExcluding": "8.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Windows Network Drive Connector al utilizar la seguridad a nivel de documento para asignar permisos a un archivo, con permiso expl\u00edcito de escritura y denegaci\u00f3n de lectura. Aunque el usuario no puede acceder al documento en Network Drive, s\u00ed lo puede ver en las aplicaciones de b\u00fasqueda."}], "id": "CVE-2024-23447", "lastModified": "2024-02-14T20:02:00.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "bressers@elastic.co", "type": "Secondary"}]}, "published": "2024-02-07T04:15:07.687", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-network-drive-connector-8-12-1-security-update-esa-2024-02/352687"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "bressers@elastic.co", "type": "Secondary"}]}