Bug 1893125 (CVE-2020-7020) - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure
Summary: CVE-2020-7020 elasticsearch: not properly preserving security permissions whe...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-7020
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1893126 1893127 1893128
Blocks: 1893129
TreeView+ depends on / blocked
 
Reported: 2020-10-30 09:32 UTC by Marian Rehak
Modified: 2022-07-07 14:20 UTC (History)
41 users (show)

Fixed In Version: elasticsearch 7.9.2, elasticsearch 6.8.13
Clone Of:
Environment:
Last Closed: 2021-10-28 08:26:58 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:20:12 UTC

Description Marian Rehak 2020-10-30 09:32:50 UTC 
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Upstream Advisory:

https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
Comment 1 Marian Rehak 2020-10-30 09:33:50 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1893127]
Affects: fedora-all [bug 1893128]
Affects: openstack-rdo [bug 1893126]
Comment 2 Marian Rehak 2020-10-30 09:33:57 UTC 
Created python-elasticsearch tracking bugs for this issue:

Affects: epel-all [bug 1893127]
Affects: fedora-all [bug 1893128]
Affects: openstack-rdo [bug 1893126]
Comment 5 Jonathan Christison 2020-11-02 15:19:50 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Przemyslaw Roguski 2020-11-09 13:03:30 UTC 
External References:

https://discuss.elastic.co/t/elastic-stack-7-9-3-and-6-8-13-security-update/253033
https://www.elastic.co/community/security/
Comment 12 Przemyslaw Roguski 2020-11-09 15:14:21 UTC 
Upstream pr:
https://github.com/elastic/elasticsearch/pull/61621
Comment 15 errata-xmlrpc 2022-07-07 14:20:09 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Note You need to log in before you can comment on or make changes to this bug.