CVE-2020-7019
First published: Tue Aug 18 2020(Updated: )
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | <6.8.12 | |
| Elastic Elasticsearch | >=7.0.0<7.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-7019?
CVE-2020-7019 is a vulnerability in Elasticsearch before version 7.9.0 and 6.8.12 that allows field disclosure when running a scrolling search with Field Level Security.
How does CVE-2020-7019 work?
CVE-2020-7019 works by leaking hidden fields in Elasticsearch when a user runs the same query that a more privileged user recently ran.
What is the severity of CVE-2020-7019?
CVE-2020-7019 has a severity rating of 6.5 (medium).
Which software versions are affected by CVE-2020-7019?
CVE-2020-7019 affects Elasticsearch versions before 7.9.0 and 6.8.12.
How can I fix CVE-2020-7019?
To fix CVE-2020-7019, upgrade Elasticsearch to version 7.9.0 or 6.8.12.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/weakness
- agent/description
- agent/tags
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/7.0.0