CVE-2020-7020
3.1
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Exploitability: 1.6 / Impact: 1.4
Source: NVD
Description
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Affected (2)
Products: Elastic: Elasticsearch
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| Before 6.8.13 |
Related CWEs
CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-270
Privilege Context Switching Error
The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.
References (6)
Source: security@elastic.co
Release NotesVendor Advisory
Source: security@elastic.co
Third Party Advisory
Source: security@elastic.co
Permissions RequiredVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions RequiredVendor Advisory
Timeline
No history available yet.