CVE-2020-7020

Опубликовано: 22 окт. 2020

Источник: nvd

CVSS3: 3.1

CVSS2: 3.5

EPSS Низкий

Описание

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Ссылки

https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Release Notes
Vendor Advisory
https://security.netapp.com/advisory/ntap-20201123-0001/
Third Party Advisory
https://staging-website.elastic.co/community/security/
Permissions Required
Vendor Advisory
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Release Notes
Vendor Advisory
https://security.netapp.com/advisory/ntap-20201123-0001/
Third Party Advisory
https://staging-website.elastic.co/community/security/
Permissions Required
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*

Версия до 6.8.13 (исключая)

cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*

Версия от 7.0.0 (включая) до 7.9.2 (исключая)

EPSS

Процентиль: 32%

0.00124

Низкий

3.1 Low

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-270

CWE-269

Связанные уязвимости

CVE-2020-7020

CVSS3: 3.1

ubuntu

больше 5 лет назад

CVE-2020-7020

CVSS3: 3.1

redhat

больше 5 лет назад

CVE-2020-7020

CVSS3: 3.1

msrc

около 4 лет назад

CVE-2020-7020

CVSS3: 3.1

debian

больше 5 лет назад

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disc ...

GHSA-g9fw-9x87-rmrj

CVSS3: 3.1

github

почти 5 лет назад

Privilege Context Switching Error in Elasticsearch

EPSS

Процентиль: 32%

0.00124

Низкий

3.1 Low

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-270

CWE-269