Field Disclosure Flaw in Elasticsearch by Elastic
CVE-2020-7019

6.5MEDIUM

Key Information:

Vendor: Elastic
Status: Elasticsearch
Vendor: CVE Published:; 18 August 2020

What is CVE-2020-7019?

A field disclosure flaw exists in Elasticsearch prior to version 7.9.0 and 6.8.12 that may allow an unauthorized user to access sensitive fields. When executing a scrolling search with Field Level Security, if a standard user runs the same query as a more privileged user that previously executed it, the search can inadvertently expose fields that should remain hidden. This could allow an attacker to gain unauthorized access to restricted data within an index, thereby elevating their permissions and compromising the integrity of the data.

Affected Version(s)

Elasticsearch before 7.9.0

References

https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20200827-0001/

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 18, 2020
Vulnerability Reserved
Jan 14, 2020