In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NElastic Elasticsearch
APPElastic< 6.8.127.0.0 – 7.9.0 (bez)
Related vulnerabilities
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...
Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...
The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers...
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacke...