Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-46666— Elastic Sharepoint Online Python Connector Improper Access Control

CVSS 5.3 · Medium EPSS 0.09% · P25
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-46666

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Elastic Sharepoint Online Python Connector Improper Access Control
Source: NVD (National Vulnerability Database)
Vulnerability Description
An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Elasticsearch 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Elasticsearch是一个基于Lucene库的搜索引擎。 Elasticsearch 存在安全漏洞,该漏洞源于在 Elastic Sharepoint Online Python 连接器中使用文档级安全性和 SPO “Limited Access” 功能时,如果为用户分配了对 Sharepoint 站点上某个项目的有限访问权限,则该用户将拥有通过 Elasticsearch 读取 Sharepoint 站点上所有内容的权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
ElasticElastic Sharepoint Online Python Connector <8.10.3.0 -

II. Public POCs for CVE-2023-46666

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-46666

登录查看更多情报信息。

Same Patch Batch · Elastic · 2023-10-26 · 8 CVEs total

CVE-2023-314229.0 CRITICALKibana Insertion of Sensitive Information into Log File
CVE-2023-466678.1 HIGHFleet Server Insertion of Sensitive Information into Log File
CVE-2023-314187.5 HIGHElasticsearch uncontrolled resource consumption
CVE-2023-314196.5 MEDIUMElasticsearch StackOverflow vulnerability
CVE-2023-314215.9 MEDIUMBeats, Elastic Agent, APM Server, and Fleet Server Improper Certificate Validation issue
CVE-2023-314165.3 MEDIUMElastic Cloud on Kubernetes (ECK) secret token configuration issue
CVE-2023-314174.1 MEDIUMElasticsearch Insertion of sensitive information in audit logs

IV. Related Vulnerabilities

Same vendor: Elastic
Same weakness: CWE-284

V. Comments for CVE-2023-46666

No comments yet

Leave a comment