Field Disclosure Flaw in Elasticsearch by Elastic
CVE-2020-7019

6.5MEDIUM

Key Information:

Vendor: Elastic
Status: Elasticsearch
Vendor: CVE Published:; 18 August 2020

What is CVE-2020-7019?

A field disclosure flaw exists in Elasticsearch prior to version 7.9.0 and 6.8.12 that may allow an unauthorized user to access sensitive fields. When executing a scrolling search with Field Level Security, if a standard user runs the same query as a more privileged user that previously executed it, the search can inadvertently expose fields that should remain hidden. This could allow an attacker to gain unauthorized access to restricted data within an index, thereby elevating their permissions and compromising the integrity of the data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Elasticsearch before 7.9.0

References

https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20200827-0001/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 18, 2020
Vulnerability Reserved
Jan 14, 2020

JSON

Elastic