Document Disclosure Flaw in Elasticsearch by Elastic
CVE-2020-7020

3.1LOW

Key Information:

Vendor

Elastic
Status
Elasticsearch
Vendor
CVE Published:
22 October 2020

What is CVE-2020-7020?

Elasticsearch versions prior to 6.8.13 and 7.9.2 are vulnerable to a document disclosure issue when utilizing Document or Field Level Security features. Due to inadequate preservation of security permissions during the execution of complex search queries, unauthorized users may inadvertently gain access to information regarding sensitive documents that should remain hidden. This flaw could potentially expose the existence of confidential documents within specified indices, increasing the risk of data breaches.

Affected Version(s)

Elasticsearch before 6.8.13 and 7.9.2

References

https://staging-website.elastic.co/community/security/
x_refsource_MISC
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-...
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20201123-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.