CVE-2020-7020

CVSS v2.0

3.5

Low

Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions Elasticsearch versions prior to 6.8.13 Elasticsearch versions prior to 7.9.2

Description The issue is related to a document disclosure flaw when Document or Field Level Security is used in Elasticsearch. Search queries do not properly preserve security permissions when executing certain complex queries, potentially disclosing the existence of documents that an attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Recommendations For versions prior to 6.8.13, update to version 6.8.13 or later to resolve the issue. For versions prior to 7.9.2, update to version 7.9.2 or later to resolve the issue.

Fix

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269CWE-270

Related Identifiers

BIT-ELASTICSEARCH-2020-7020

CVE-2020-7020

GHSA-G9FW-9X87-RMRJ

Affected Products

Elasticsearch

CVE-2020-7020

Weakness Enumeration

Related Identifiers

Affected Products

References · 12