Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

🗓️ 01 Dec 2021 08:00:00Reported by MicrosoftType

Elasticsearch versions before 6.8.13 and 7.9.2 disclose documents due to faulty query permissions.

Reporter	Title	Published	Views	Family All 38
IBM Security Bulletins	Security Bulletin: IBM Cloud Private is vulnerable to Elastic vulnerabilities (CVE-2020-7020 )	2 Sep 202121:00	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilitiy affects IBM Observability with Instana	11 Jan 202220:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation	28 Sep 202107:03	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple security vulnerabilities have been identified in Elasticsearch shipped with IBM Tivoli Netcool Impact	6 Jul 202205:31	–	ibm
CBLMariner	CVE-2020-7020 affecting package rubygem-elasticsearch 7.6.0-1	26 May 202219:04	–	cbl_mariner
Circl	CVE-2020-7020	28 Jan 202400:49	–	circl
CNVD	Elasticsearch Information Disclosure Vulnerability (CNVD-2020-60336)	25 Oct 202000:00	–	cnvd
CVE	CVE-2020-7020	22 Oct 202016:30	–	cve
Cvelist	CVE-2020-7020	22 Oct 202016:30	–	cvelist
Elastic	Elastic Stack 7.9.3 and 6.8.13 Security Update	22 Oct 202015:34	–	elastic