Typesense Improper Search Cache Isolation for Scoped Search API Keys (CVE-2024-4725)

Vulnerability Overview Vulnerability Name: Improper Search Cache Isolation for Scoped Search API Keys in Typesense Vulnerability ID: GHSA-97x4-gm45-jpcw Severity: Medium (6.0 / 10) CVSS v4 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: Low - User Interaction: None - Confidentiality: High - Integrity: None - Availability: None - Subsequent System Impact: - Confidentiality: None - Integrity: None - Availability: None CVE ID: CVE-2024-4725 Weakness: CWE-524 Scope of Impact Affected Versions: - typesense-server =30.0, <30.2 Impact Description: - Certain versions of Typesense are affected by a cache isolation issue impacting search requests that utilize server-side search result caching and scoped search API keys. - Under specific request ordering conditions, cached search results may be reused across requests governed by different scoped search API keys. This could cause requests to receive search results that should have been restricted by their respective scoped search API keys. - This issue only affects search requests that use server-side search result caching and scoped search API keys with embedded filters to restrict search results within a collection. - This vulnerability may lead to the unintended disclosure of search results across scoped authorization contexts. It does not affect data integrity or service availability. Remediation Fixed Versions: - 30.2 - 29.1 Temporary Mitigations: - If immediate upgrade is not possible, users can mitigate this issue by disabling server-side search result caching for search requests using scoped search API keys.

Goal Reached Thanks to every supporter — we hit 100%!

Typesense Improper Search Cache Isolation for Scoped Search API Keys (CVE-2024-4725)

More from this source