MEDIUM✓ PATCH🇵🇱 Wersja polska

CVE-2020-7019

CVSS 6.5v3.1pub. 2020-08-18upd. 2024-11-21

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Elastic Elasticsearch

    APP
    Elastic
    < 6.8.127.0.0 – 7.9.0 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2015-5377CRITICAL9.8ten sam produkt

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...

CVE-2014-3120HIGH8.1⚠ KEVten sam produkt

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers...

CVE-2023-31418HIGH7.5ten sam produkt

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...

CVE-2022-23712HIGH7.5ten sam produkt

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacke...