Bug 1870346 (CVE-2020-7019)

Summary: CVE-2020-7019 elasticsearch: scrolling search can leak fields that should be hidden allowing access restriction bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, apevec, bmontgom, chazlett, dbecker, dbruno, drieden, eparis, etirelli, ggaughan, gmalinko, ibek, janstey, jburrell, jcantril, jjoyce, jochrist, jokerman, jschluet, jstastny, jtfas90, jwon, kbasil, krathod, kverlaen, lhh, lpeer, mburns, mnovotny, nstielau, paradhya, piotr1212, pjindal, rrajasek, rsynek, sclewis, sdaley, slinaber, sponnaga, steve.traylen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: elasticsearch 7.9.0, elasticsearch 6.8.12 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-24 21:15:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1870347, 1870348, 1870349    
Bug Blocks: 1870351    

Description Guilherme de Almeida Suckevicz 2020-08-19 20:28:25 UTC 
In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

Reference:
https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
Comment 1 Guilherme de Almeida Suckevicz 2020-08-19 20:28:55 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1870347]
Affects: fedora-all [bug 1870349]
Affects: openstack-rdo [bug 1870348]
Comment 4 Przemyslaw Roguski 2020-08-24 16:02:04 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456
https://www.elastic.co/community/security/
Comment 6 Product Security DevOps Team 2020-08-24 21:15:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7019