CVE-2020-7020Privilege Context Switching Error in Elasticsearch

CWE-270Privilege Context Switching ErrorCWE-269Improper Privilege ManagementCWE-266Incorrect Privilege AssignmentCWE-200Sensitive Information Exposure11 documents7 sources
Severity
3.1LOWNVD
EPSS
0.1%
top 77.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Elasticsearch
Timeline
PublishedOct 22
Latest updateMar 18

Description

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages2 packages

NVDelastic/elasticsearch7.0.07.9.2+1
CVEListV5elastic/elasticsearchbefore 6.8.13 and 7.9.2

🔴Vulnerability Details

4
OSV
Privilege Context Switching Error in Elasticsearch2021-03-18
GHSA
Privilege Context Switching Error in Elasticsearch2021-03-18
OSV
CVE-2020-7020: Elasticsearch versions before 62020-10-22
CVEList
CVE-2020-7020: Elasticsearch versions before 62020-10-22

📋Vendor Advisories

2
Red Hat
elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure2020-10-22
Microsoft
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when execu2020-10-13

💬Community

4
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [fedora-all]2020-10-30
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [openstack-rdo]2020-10-30
Bugzilla
CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure2020-10-30
Bugzilla
CVE-2020-7020 python-elasticsearch: elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure [epel-all]2020-10-30
CVE-2020-7020 — Privilege Context Switching Error | cvebase