CVE-2024-12539: 
Java vulnerability analysis and mitigation

An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow. The vulnerability affects Elasticsearch versions 8.16.0 and 8.16.1, and was assigned CVE-2024-12539 with a CVSS v4.0 score of 6.0 (Medium) and CVSS v3.1 score of 6.5 (Medium) (NVD, Elastic Advisory).

The vulnerability stems from improper authorization controls that affect specific queries in Elasticsearch. The issue specifically impacts users utilizing Document Level Security features in Elasticsearch. The vulnerability has been assigned CWE-863 (Incorrect Authorization) and received a CVSS v3.1 base score of 6.5 with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (NVD).

If exploited, this vulnerability allows malicious actors to bypass Document Level Security controls and access documents that their roles would normally not permit. The primary impact is on data confidentiality, with no direct effect on system integrity or availability (Elastic Advisory).

The vulnerability has been fixed in Elasticsearch versions 8.16.2 and 8.17.0. Users running affected versions (8.16.0 and 8.16.1) should upgrade to these patched versions to mitigate the risk (Elastic Advisory).