{"api_version":"1","generated_at":"2026-04-23T04:10:11+00:00","cve":"CVE-2019-13416","urls":{"html":"https://cve.report/CVE-2019-13416","api":"https://cve.report/api/cve/CVE-2019-13416.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-13416","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-13416"},"summary":{"title":"CVE-2019-13416","description":"Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).","state":"PUBLIC","assigner":"security@search-guard.com","published_at":"2019-08-13 19:15:00","updated_at":"2020-10-08 12:58:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3","name":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"Search Guard 6.x-24.3 | Elasticsearch Security | Search Guard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://search-guard.com/cve-advisory/","name":"https://search-guard.com/cve-advisory/","refsource":"MISC","tags":["Vendor Advisory"],"title":"CVE - advisory - Search Guard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-13416","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13416","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"13416","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"search-guard","cpe5":"search_guard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13416","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"search-guard","cpe5":"search_guard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"security@search-guard.com","ID":"CVE-2019-13416","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"floragunn","product":{"product_data":[{"product_name":"Search Guard","version":{"version_data":[{"version_value":"before 24.3"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-285: Improper Authorization"}]}]},"references":{"reference_data":[{"url":"https://search-guard.com/cve-advisory/","refsource":"MISC","name":"https://search-guard.com/cve-advisory/"},{"refsource":"CONFIRM","url":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3","name":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_3"}]},"description":{"description_data":[{"lang":"eng","value":"Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s)."}]}},"nvd":{"publishedDate":"2019-08-13 19:15:00","lastModifiedDate":"2020-10-08 12:58:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:search-guard:search_guard:*:*:*:*:*:*:*:*","versionEndExcluding":"24.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"13416","Ordinal":"151775","Title":"CVE-2019-13416","CVE":"CVE-2019-13416","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"13416","Ordinal":"1","NoteData":"Search Guard versions before 24.3 had an issue when Cross Cluster Search (CCS) was enabled, authenticated users are always authorized on the local cluster ignoring their roles on the remote cluster(s).","Type":"Description","Title":null},{"CveYear":"2019","CveId":"13416","Ordinal":"2","NoteData":"2019-08-13","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"13416","Ordinal":"3","NoteData":"2019-08-13","Type":"Other","Title":"Modified"}]}}}