CVE-2020-7019

EPSS 0.14%
Published 18.08.2020 17:15:11
Last modified 21.11.2024 05:36:30
Source bressers@elastic.co
Teams watchlist Login
Open Login

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

Elastic ≫ Elasticsearch Version < 6.8.12

Elastic ≫ Elasticsearch Version >= 7.0.0 < 7.9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.343

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-270 Privilege Context Switching Error

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456

Vendor Advisory

https://security.netapp.com/advisory/ntap-20200827-0001/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-7019

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-7019

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-7019

EUVD