CVE-2020-7019

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-7019

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7019.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2020-7019

Aliases

Downstream

UBUNTU-CVE-2020-7019

Published

2020-08-18T17:15:11.677Z

Modified

2026-02-12T00:39:35.490729Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7a15d2a169913a2d6116dcc081bc592fbf8d9b1c

Introduced

b7e28a7232616c7a21bc879a535d801b8553ba77

Fixed

a479a2a7fce0389512d6a9361301708b92dff667

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-7019.json"

vanir_signatures

[
    {
        "signature_version": "v1",
        "id": "CVE-2020-7019-378d383b",
        "source": "https://github.com/elastic/elasticsearch/commit/7a15d2a169913a2d6116dcc081bc592fbf8d9b1c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "33700910255388530416614722804838808240",
                "283321331458333701049113082749785038621",
                "277240852765934126252479649156350527682",
                "26222600426155319217510419949709038702",
                "65763552740487908587064304065730012887",
                "335084368242059581868770287423715274704",
                "339310963727942587192833900239825564771"
            ]
        },
        "target": {
            "file": "server/src/main/java/org/elasticsearch/common/settings/AddStringKeyStoreCommand.java"
        },
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "id": "CVE-2020-7019-6aa7f02f",
        "source": "https://github.com/elastic/elasticsearch/commit/7a15d2a169913a2d6116dcc081bc592fbf8d9b1c",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "178997583131516744790415957980486588379",
                "19372987556394986489817224675251636362",
                "63654519137437588592131489423807624749"
            ]
        },
        "target": {
            "file": "server/src/test/java/org/elasticsearch/common/settings/AddStringKeyStoreCommandTests.java"
        },
        "signature_type": "Line",
        "deprecated": false
    },
    {
        "signature_version": "v1",
        "id": "CVE-2020-7019-6af4d319",
        "source": "https://github.com/elastic/elasticsearch/commit/7a15d2a169913a2d6116dcc081bc592fbf8d9b1c",
        "digest": {
            "function_hash": "279730468595250626772673995120545336492",
            "length": 1521.0
        },
        "target": {
            "file": "server/src/main/java/org/elasticsearch/common/settings/AddStringKeyStoreCommand.java",
            "function": "execute"
        },
        "signature_type": "Function",
        "deprecated": false
    }
]