CVE-2020-7020
document disclosure vulnerability in elasticsearch (Maven)
What is CVE-2020-7020 About?
This vulnerability is a document disclosure flaw in Elasticsearch when Document or Field Level Security (FLS/DLS) is used, leading to the unintended revelation of document existence. Attackers can gain sensitive insights into restricted indices, making it a notable information leakage vulnerability that could be moderately complex to exploit. It allows an attacker to discover documents they should not be able to view, thereby bypassing security controls.
Affected Software
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.9.2
- <6.8.13
Technical Details
The flaw in Elasticsearch arises when Document Level Security (DLS) or Field Level Security (FLS) is in use. Specifically, certain complex search queries do not properly preserve the configured security permissions. This deficiency allows a malicious actor, even one without authorization to view the full content of certain documents, to craft queries that can determine the existence of those documents within an index. By observing search results or query responses that indicate document existence (e.g., hit counts, metadata), the attacker gains 'existence disclosure' for sensitive documents, even if the content itself remains hidden. This provides reconnaissance capabilities, granting insight into potentially sensitive data that should be fully abstracted by security mechanisms.
What is the Impact of CVE-2020-7020?
Successful exploitation may allow attackers to discover the existence of documents they are not authorized to view, potentially gaining insights into sensitive information or proprietary data.
What is the Exploitability of CVE-2020-7020?
Exploitation requires crafting specific complex search queries that trigger the flaw in DLS/FLS enforcement. This suggests a moderate level of complexity and requires some understanding of Elasticsearch query language and the targeted data model. Authentication is likely required, as the attacker needs to interact with the search functionality. The privilege requirements would be those typically granted to a user querying the Elasticsearch instance, suggesting the attacker doesn't need elevated privileges beyond normal read access. This is primarily a remote exploitation scenario, assuming network access to Elasticsearch. Special conditions include the use of Document or Field Level Security and the execution of specific types of 'complex queries'. The risk factors are increased by the presence of sensitive data within indices protected by DLS/FLS, as well as the sophistication of an attacker in crafting queries to bypass these controls.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7020?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <6.8.13 → Upgrade to 6.8.13
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.9.2 → Upgrade to 7.9.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://staging-website.elastic.co/community/security
- https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
- https://github.com/elastic/elasticsearch
- https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
- https://security.netapp.com/advisory/ntap-20201123-0001
- https://staging-website.elastic.co/community/security/
- https://nvd.nist.gov/vuln/detail/CVE-2020-7020
- https://osv.dev/vulnerability/GHSA-g9fw-9x87-rmrj
- https://security.netapp.com/advisory/ntap-20201123-0001/
What are Similar Vulnerabilities to CVE-2020-7020?
Similar Vulnerabilities: CVE-2023-26466 , CVE-2023-27271 , CVE-2022-38706 , CVE-2020-1736 , CVE-2023-35887
