CVE-2020-7019
field disclosure vulnerability in elasticsearch (Maven)
What is CVE-2020-7019 About?
This field disclosure flaw in Elasticsearch allows a less privileged user running a scrolling search to view fields that should be hidden if a more privileged user recently ran a similar query. This can lead to unauthorized information access. Exploitation requires specific timing and prior privileged activity.
Affected Software
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.9.0
- <6.8.12
Technical Details
The vulnerability exists in Elasticsearch's scrolling search functionality when combined with Field Level Security (FLS). When a user performs a scrolling search, Elasticsearch might leverage cached query results or state from a previous, more privileged user's similar query. If a less privileged user then executes a scrolling search that overlaps with or relates to a recently executed query by a more privileged user, the system inappropriately reuses or exposes field data that should be restricted by the less privileged user's FLS rules. This results in the disclosure of sensitive fields that the less privileged user should not be able to access.
What is the Impact of CVE-2020-7019?
Successful exploitation may allow attackers to gain unauthorized access to sensitive data fields, leading to information disclosure and potential escalation of privileges against restricted indices.
What is the Exploitability of CVE-2020-7019?
Exploiting this vulnerability has a moderate complexity due to the timing and preconditions required. It necessitates that a more privileged user has recently run a relevant query, and then a less privileged attacker must execute a similar scrolling search to trigger the disclosure. The attacker requires authentication to Elasticsearch, but with lower privileges than the user whose data they aim to access. This is primarily a remote exploitation scenario, requiring network access to the Elasticsearch instance. The key constraint is the dependency on prior, privileged user activity to create the cache state conducive to exploitation. The likelihood of exploitation increases in environments with frequent use of scrolling searches and varying privilege levels.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7019?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <6.8.12 → Upgrade to 6.8.12
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.9.0 → Upgrade to 7.9.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
- https://osv.dev/vulnerability/GHSA-c77j-p484-h84m
- https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
- https://github.com/elastic/elasticsearch
- https://security.netapp.com/advisory/ntap-20200827-0001
- https://nvd.nist.gov/vuln/detail/CVE-2020-7019
- https://security.netapp.com/advisory/ntap-20200827-0001/
What are Similar Vulnerabilities to CVE-2020-7019?
Similar Vulnerabilities: CVE-2023-28434 , CVE-2022-26134 , CVE-2022-25765 , CVE-2022-24706 , CVE-2021-42352
