Upgrading to Enterprise Search 8.10.3? See Upgrading and migrating.
Elastic Sharepoint Online Python Connector Improper Access Control (ESA-2023-18)
An issue was discovered when using Document Level Security and the SPO "Limited Access" functionality in Elastic Sharepoint Online Python Connector.
If a user is assigned limited access permissions to an item on a Sharepoint site then that user would have read permissions to all content on the Sharepoint site through Elasticsearch.
The issue is resolved in 8.10.3.
For more information, see our related security announcement.
- Fixed an issue where SharePoint Online document-level security was based on User Information Lists, rather than Role Assignments.
- Fixed a bug in the SharePoint Online connector where sync jobs would occasionally continue running despite being canceled. Now, sync jobs will be given a 5 second grace period to terminate smoothly, before they are forced to terminate.
- Fixed a bug introduced in 8.10.0 where converting native connectors to connector clients was broken.