1749222 – (CVE-2019-13417) CVE-2019-13417 search-guard: information disclosure in field level security (FLS)

Bug 1749222 (CVE-2019-13417) - CVE-2019-13417 search-guard: information disclosure in field level security (FLS)

Summary: CVE-2019-13417 search-guard: information disclosure in field level security (...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-13417
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1760651 1760652 1760653 1760654
Blocks:	1749223
TreeView+	depends on / blocked

Reported:	2019-09-05 07:43 UTC by Dhananjay Arunesh
Modified:	2021-10-27 10:48 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-27 10:48:09 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2019-09-05 07:43:18 UTC

A vulnerability was found in Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.

Reference:
https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0

Comment 1 Dhananjay Arunesh 2019-09-05 07:43:36 UTC

External References:

https://search-guard.com/cve-advisory/

Comment 2 Jason Shepherd 2019-10-11 01:45:36 UTC

Field level security was added in Search Guard 5 which is used by OpenShift 3.11, and 4.1, but not earlier versions.

Note You need to log in before you can comment on or make changes to this bug.