Описание
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
A flaw was found in elasticsearch. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view. A mitigating factor to this flaw is an attacker must know the document ID to run the get request.
Отчет
In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability. [1] https://www.elastic.co/subscriptions
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | elasticsearch | Not affected | ||
| Red Hat Fuse 7 | elasticsearch | Not affected | ||
| Red Hat Integration Camel K 1 | elasticsearch | Not affected | ||
| Red Hat JBoss Fuse 6 | elasticsearch | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch5 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch6 | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | python-elasticsearch | Not affected | ||
| Red Hat Process Automation 7 | elasticsearch | Not affected |
Показывать по
Дополнительная информация
Статус:
2.6 Low
CVSS3
Связанные уязвимости
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
A document disclosure flaw was found in Elasticsearch versions after 7 ...
Exposure of Sensitive Information to an Unauthorized Actor
2.6 Low
CVSS3