1849010 – (CVE-2020-7011) CVE-2020-7011 elasticsearch: displaying document URLs in the Reference UI is open for a xss attack

Bug 1849010 (CVE-2020-7011) - CVE-2020-7011 elasticsearch: displaying document URLs in the Reference UI is open for a xss attack

Summary: CVE-2020-7011 elasticsearch: displaying document URLs in the Reference UI is ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-7011
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1849012
TreeView+	depends on / blocked

Reported:	2020-06-19 13:16 UTC by Marian Rehak
Modified:	2021-06-07 15:02 UTC (History)
CC List:	45 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-06-24 12:50:15 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2020-06-19 13:16:51 UTC

If the Reference UI injects a URL into a result, that URL will be rendered by the web browser. If an attacker is able to control the contents of such a field, they could execute arbitrary JavaScript in the victimï¿½s web browser.

Upstream Issue;

https://discuss.elastic.co/t/enterprise-search-7-7-0-security-update/232505

Comment 1 Joshua Padman 2020-06-24 03:59:03 UTC

This vulnerability is for Enterprise Search, a product from Elastic. We do not ship Enterprise Search, we only ship the underlying elasticsearch from Elastic.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
aos-bugs
apevec
bmontgom
chazlett
dbecker
dbruno
drieden
eparis
etirelli
ggaughan
gmalinko
ibek
janstey
jburrell
jcantril
jjoyce
jochrist
jokerman
jschluet
jstastny
jtfas90
jwon
kbasil
krathod
kverlaen
lhh
lpeer
mburns
mnovotny
nstielau
paradhya
piotr1212
pjindal
rrajasek
rsynek
sclewis
sdaley
slinaber
sponnaga
steve.traylen