Bug 1749222 (CVE-2019-13417)

Summary: CVE-2019-13417 search-guard: information disclosure in field level security (FLS)
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jcantril, jgoulding, jokerman, mchappel, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:48:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1760651, 1760652, 1760653, 1760654    
Bug Blocks: 1749223    

Description Dhananjay Arunesh 2019-09-05 07:43:18 UTC 
A vulnerability was found in Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.

Reference:
https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0
Comment 1 Dhananjay Arunesh 2019-09-05 07:43:36 UTC 
External References:

https://search-guard.com/cve-advisory/
Comment 2 Jason Shepherd 2019-10-11 01:45:36 UTC 
Field level security was added in Search Guard 5 which is used by OpenShift 3.11, and 4.1, but not earlier versions.