Bug 1178149 - (CVE-2020-7020) VUL-1: CVE-2020-7020: elasticsearch: document disclosure flaw when Document or Field Level Security is used
(CVE-2020-7020)
VUL-1: CVE-2020-7020: elasticsearch: document disclosure flaw when Document o...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/270088/
CVSSv3.1:SUSE:CVE-2020-7020:3.1:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-26 17:54 UTC by Wolfgang Frisch
Modified: 2020-10-30 11:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-10-26 17:54:30 UTC
CVE-2020-7020

Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure
flaw when Document or Field Level Security is used. Search queries do not
properly preserve security permissions when executing certain complex queries.
This could result in the search disclosing the existence of documents the
attacker should not be able to view. This could result in an attacker gaining
additional insight into potentially sensitive indices.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7020
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7020.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7020
https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
https://staging-website.elastic.co/community/security/
Comment 1 Wolfgang Frisch 2020-10-26 18:39:15 UTC
Document and Field Level Security was added in v6.3.0.

>commit 5f01f793d5541293e965d0a38a1cab8b2a2db77d
>Author: Martijn van Groningen <martijn.v.groningen@gmail.com>
>Date:   Thu Aug 27 17:53:10 2015 +0200
> 
>    Added document and field level security

SUSE:SLE-12-SP3:Update:Products:Cloud8:Update  Not affected
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update  Not affected