CVE-2020-7019
published 2020-08-18CVE-2020-7019: In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same…
PriorityP335medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.20%
64.4th percentile
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | < 6.8.12 | 6.8.12 |
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | >= 7.0.0 < 7.9.0 | 7.9.0 |
| msrc | cm1_rubygem-elasticsearch_8.2.0-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Improper privilege management in elasticsearch
ghsa·2022-05-24
CVE-2020-7019 [MEDIUM] CWE-269 Improper privilege management in elasticsearch
Improper privilege management in elasticsearch
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
OSV
Improper privilege management in elasticsearch
osv·2022-05-24
CVE-2020-7019 [MEDIUM] Improper privilege management in elasticsearch
Improper privilege management in elasticsearch
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
OSV
CVE-2020-7019: In Elasticsearch before 7
osv·2020-08-18·CVSS 6.5
CVE-2020-7019 [MEDIUM] CVE-2020-7019: In Elasticsearch before 7
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Red Hat
elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
vendor_redhat·2020-08-18·CVSS 6.5
CVE-2020-7019 [MEDIUM] CWE-270 elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Package: elasticsearch (Red Hat Decision Manager 7) - Not affected
Package: elasticsearch (Red Hat Fuse 7) - Not affected
Package: elasticsearch (Red Hat JBoss Fuse 6) - Not affected
Package: openshift3/ose-logging-elasticsearch5 (Red Hat OpenShift Container Platform 3.11) - Not affected
Package: openshift4/ose-logging-elasticse
Microsoft
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recentl
vendor_msrc·2020-08-11·CVSS 6.5
CVE-2020-7019 [MEDIUM] CWE-269 In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recentl
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [epel-all]
bugzilla·2020-08-19·CVSS 6.5
CVE-2020-7019 [MEDIUM] CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [epel-all]
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedp
Bugzilla
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [openstack-rdo]
bugzilla·2020-08-19·CVSS 6.5
CVE-2020-7019 [MEDIUM] CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [openstack-rdo]
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog an
Bugzilla
CVE-2020-7019 elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
bugzilla·2020-08-19·CVSS 6.5
CVE-2020-7019 [MEDIUM] CVE-2020-7019 elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
CVE-2020-7019 elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Reference:
https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
Discussion:
Created python-elasticsearch tracking bugs for this issue:
Affects: epel-all [bug 1870347]
Affects: fedora-all [bug 1870349]
Affects: openstack-rdo [bug 1870348]
---
External References:
https://discuss.elast
Bugzilla
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [fedora-all]
bugzilla·2020-08-19·CVSS 6.5
CVE-2020-7019 [MEDIUM] CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [fedora-all]
CVE-2020-7019 python-elasticsearch: elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
2020-08-18
Published