Lucene search

ElasticCVE-2020-7019

HistoryAug 18, 2020 - 5:15 p.m.

CVE-2020-7019

2020-08-1817:15:11

CWE-269

CWE-270

elastic

web.nvd.nist.gov

elasticsearch

scrolling search

field disclosure

security flaw

cve-2020-7019

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

Affected configurations

Nvd

Node

elasticelasticsearchRange<6.8.12

elasticelasticsearchRange7.0.0–7.9.0

VendorProductVersionCPE
elasticelasticsearch*cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
elastic	elasticsearch	*	cpe:2.3:a:elastic:elasticsearch::::::::

CNA Affected

[
  {
    "product": "Elasticsearch",
    "vendor": "Elastic",
    "versions": [
      {
        "status": "affected",
        "version": "before 7.9.0"
      }
    ]
  }
]