CVE-2020-7020
published 2020-10-22CVE-2020-7020: Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly…
PriorityP412low3.1CVSS 3.1
AVNACHPRLUINSUCLINAN
EPSS
1.00%
58.4th percentile
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | < 6.8.13 | 6.8.13 |
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | >= 7.0.0 < 7.9.2 | 7.9.2 |
| msrc | cm1_rubygem-elasticsearch_8.2.0-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.13.1LOWCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv3.1LOW
vendor_msrc3.1LOW
vendor_redhat3.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
vendor_redhat·2020-10-22·CVSS 3.1
CVE-2020-7020 [LOW] CWE-266 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Package: elasticsearch (Red Hat Decision Manager 7) - Fix deferred
Package: elasticsearch (Red Hat JBoss Fuse 6) - Out of support scope
Package: openshift3/ose-logging-elasticsearch5 (Red Hat OpenShift Container Platform 3.11) - Not
Microsoft
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when execu
vendor_msrc·2020-10-13·CVSS 3.1
CVE-2020-7020 [LOW] CWE-269 Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when execu
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the di
OSV
Privilege Context Switching Error in Elasticsearch
osv·2021-03-18
CVE-2020-7020 [LOW] Privilege Context Switching Error in Elasticsearch
Privilege Context Switching Error in Elasticsearch
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
GHSA
Privilege Context Switching Error in Elasticsearch
ghsa·2021-03-18
CVE-2020-7020 [LOW] CWE-269 Privilege Context Switching Error in Elasticsearch
Privilege Context Switching Error in Elasticsearch
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
OSV
CVE-2020-7020: Elasticsearch versions before 6
osv·2020-10-22·CVSS 3.1
CVE-2020-7020 [LOW] CVE-2020-7020: Elasticsearch versions before 6
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [fedora-all]
bugzilla·2020-10-30·CVSS 3.1
CVE-2020-7020 [LOW] CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [fedora-all]
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the R
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [openstack-rdo]
bugzilla·2020-10-30·CVSS 3.1
CVE-2020-7020 [LOW] CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [openstack-rdo]
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in
Bugzilla
CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
bugzilla·2020-10-30·CVSS 3.1
CVE-2020-7020 [LOW] CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Upstream Advisory:
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Discussion:
Created python-elasticsearch tracking bugs for this issue:
Affects: epel-all [bug 1893127]
Affects: fed
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [epel-all]
bugzilla·2020-10-30·CVSS 3.1
CVE-2020-7020 [LOW] CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [epel-all]
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM c
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033https://security.netapp.com/advisory/ntap-20201123-0001/https://staging-website.elastic.co/community/security/https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033https://security.netapp.com/advisory/ntap-20201123-0001/https://staging-website.elastic.co/community/security/
2020-10-22
Published