CVE-2024-23446: 
Kibana vulnerability analysis and mitigation

A vulnerability was discovered in Elastic's Kibana product (CVE-2024-23446) where the Detection Engine Search API fails to properly enforce Document-level security (DLS) and Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. This security issue affects Kibana versions prior to 8.12.1, allowing authorized API users to potentially access unauthorized documents when their roles are configured with DLS or FLS restrictions (Elastic Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue is classified under CWE-284 (Improper Access Control). The vulnerability specifically affects users that have assigned roles with DLS or FLS configurations, particularly when using KPI or group by feature on the alerts page or when API users directly access the route (NVD, Elastic Advisory).

The vulnerability allows users with API access to bypass intended security restrictions and obtain unauthorized access to documents that should be limited by their DLS or FLS role configurations. This results in a potential confidentiality breach of sensitive information stored in the affected indices (Elastic Advisory).

The vulnerability has been patched in Kibana version 8.12.1. Users running affected versions should upgrade to this version or later to resolve the security issue (Elastic Advisory).