Elastic SPO Python Connector Doc-Level Sec Bypass via Limited Access
CVE-2023-46666 Published on October 26, 2023
Elastic Sharepoint Online Python Connector Improper Access Control
An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector. If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.
Vulnerability Analysis
CVE-2023-46666 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2023-46666 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2023-46666
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-46666 are published in Elastic Sharepoint Online Python Connector:
Affected Versions
Elastic Sharepoint Online Python Connector Version <8.10.3.0 is affected by CVE-2023-46666Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.