Bug 1178149 (CVE-2020-7020)

Summary: VUL-1: CVE-2020-7020: elasticsearch: document disclosure flaw when Document or Field Level Security is used
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/270088/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-7020:3.1:(AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-10-26 17:54:30 UTC
CVE-2020-7020

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure
flaw when Document or Field Level Security is used. Search queries do not
properly preserve security permissions when executing certain complex queries.
This could result in the search disclosing the existence of documents the
attacker should not be able to view. This could result in an attacker gaining
additional insight into potentially sensitive indices.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7020
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7020.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7020
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
https://staging-website.elastic.co/community/security/
Comment 1 Wolfgang Frisch 2020-10-26 18:39:15 UTC
Document and Field Level Security was added in v6.3.0.

>commit 5f01f793d5541293e965d0a38a1cab8b2a2db77d
>Author: Martijn van Groningen <martijn.v.groningen@gmail.com>
>Date:   Thu Aug 27 17:53:10 2015 +0200
> 
>    Added document and field level security

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update  Not affected
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update  Not affected