Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
CVE-2020-7020 - Low Severity Vulnerability
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /ProjetGLA2019/Projet/Code/jetty-jersey-master/pom.xml
Path to vulnerable library: /root/.m2/repository/org/elasticsearch/elasticsearch/6.6.2/elasticsearch-6.6.2.jar
Dependency Hierarchy: - elasticsearch-rest-high-level-client-6.6.2.jar (Root Library) - :x: **elasticsearch-6.6.2.jar** (Vulnerable Library)
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Publish Date: 2020-10-22
URL: CVE-2020-7020
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Release Date: 2020-07-21
Fix Resolution: org.elasticsearch:elasticsearch:6.8.13,7.9.3
Step up your Open Source Security Game with WhiteSource here