// For flags

CVE-2019-7611

elasticsearch: Improper permission issue when attaching a new name to an index

Severity Score

8.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

Se ha encontrado un problema de permiso en versiones anteriores a las 5.6.15 y 6.6.1 de Elasticsearch cuando se encuentran deshabilitados Field Level Security y Document Level Security, y se utilizan los endpoints _aliases, _shrink o _split. Si el archivo elasticsearch.yml tiene la opción xpack.security.dls_fls.enabled configurada en ‘‘false’’, se omiten ciertas comprobaciones de permiso cuando los usuarios ejecutan una de las acciones mencionadas anteriormente, para hacer que los datos existentes sean disponibles bajo un nuevo alias o nombre de índice. Esto podría resultar en que un atacante logre permisos adicionales en un índice restringido.

Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. This release of Red Hat Decision Manager 7.7.0 serves as an update to Red Hat Decision Manager 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include code execution and information leakage vulnerabilities.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-02-07 CVE Reserved
  • 2019-03-25 CVE Published
  • 2024-08-04 CVE Updated
  • 2025-08-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
  • CWE-285: Improper Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Elastic
Search vendor "Elastic"
 Elasticsearch
Search vendor "Elastic" for product "Elasticsearch"
 < 5.6.15
Search vendor "Elastic" for product "Elasticsearch" and version " < 5.6.15"
-
Affected
Elastic
Search vendor "Elastic"
 Elasticsearch
Search vendor "Elastic" for product "Elasticsearch"
 >= 6.0.0 < 6.6.1
Search vendor "Elastic" for product "Elasticsearch" and version " >= 6.0.0 < 6.6.1"
-
Affected