Read permissions not enforced for client provided filter expressions in Elide http client
CVE-2020-5289

6.8MEDIUM

Key Information:

Vendor

Yahoo

Status
Elide
Vendor
CVE Published:
30 March 2020

What is CVE-2020-5289?

In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater.

Affected Version(s)

elide < 4.5.14

References

https://github.com/yahoo/elide/security/advisories/GHSA-2...
x_refsource_CONFIRM
https://github.com/yahoo/elide/pull/1236
x_refsource_MISC
https://github.com/yahoo/elide/pull/1236/commits/a985f0f9...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.