CVE-2020-7019
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
En Elasticsearch versiones anteriores a 7.9.0 y 6.8.12, se encontró un fallo de divulgación de campo al ejecutar una búsqueda de desplazamiento con Field Level Security. Si un usuario ejecuta la misma consulta que otro usuario más privilegiado realizó recientemente, la búsqueda de desplazamiento puede filtrar campos que deberían estar ocultos. Esto podría resultar en que un atacante consiga permisos adicionales contra un índice restringido.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-01-14 CVE Reserved
- 2020-08-18 CVE Published
- 2023-05-08 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
- CWE-270: Privilege Context Switching Error
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20200827-0001 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456 | 2023-01-27 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Elastic Search vendor "Elastic" | Elasticsearch Search vendor "Elastic" for product "Elasticsearch" | < 6.8.12 Search vendor "Elastic" for product "Elasticsearch" and version " < 6.8.12" | - |
Affected
| ||||||
Elastic Search vendor "Elastic" | Elasticsearch Search vendor "Elastic" for product "Elasticsearch" | >= 7.0.0 < 7.9.0 Search vendor "Elastic" for product "Elasticsearch" and version " >= 7.0.0 < 7.9.0" | - |
Affected
|