René Kalff

Name of the Vulnerable Software and Affected Versions: Elasticsearch versions prior to 8.14.0 Description: The issue is related to the implementation of the Elasticsearch search system's application programming interface, specifically with the cross-cluster API key. If a cross-cluster API key restricts search for a given index using the `query` or the `field security` parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross-cluster search operations. This may allow an attacker to disclose protected information. The issue only affects the API key-based security model for remote clusters, which was previously a beta feature and is released as GA with 8.14.0. Recommendations: As a temporary workaround, consider restricting access to the cross-cluster API key until a patch is available. For versions prior to 8.14.0, update to version 8.14.0 or later to resolve the issue. Avoid using the `query` or `field security` parameters in the cross-cluster API key until the issue is resolved. Restrict access to the API key-based security model for remote clusters to minimize the risk of exploitation.