First published: Mon Mar 25 2019(Updated: )
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Credit: bressers@elastic.co bressers@elastic.co
Affected Software | Affected Version | How to fix |
---|---|---|
Elastic Elasticsearch | <5.6.15 | |
Elastic Elasticsearch | >=6.0.0<6.6.1 | |
redhat/elasticsearch | <5.6.15 | 5.6.15 |
redhat/elasticsearch | <6.6.1 | 6.6.1 |
<5.6.15 | ||
>=6.0.0<6.6.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-7611 is a vulnerability found in Elasticsearch versions before 5.6.15 and 6.6.1.
The severity of CVE-2019-7611 is high with a CVSS score of 8.1.
CVE-2019-7611 affects Elasticsearch when Field Level Security and Document Level Security are disabled and certain endpoints are used.
The recommended remedy for CVE-2019-7611 is to upgrade to Elasticsearch version 5.6.15 or 6.6.1.
You can find more information about CVE-2019-7611 in the references provided: [Link 1](https://discuss.elastic.co/t/elastic-stack-6-6-1-and-5-6-15-security-update/169077), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1696035), [Link 3](https://access.redhat.com/support/policy/updates/jboss_notes)