4 matches found
CVE-2020-5289
In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The...
CVE-2020-5289 Read permissions not enforced for client provided filter expressions in Elide http client
In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The...
CVE-2020-5289
In Elide before 4.5.14, an adversary can infer the value of a model field they cannot access by crafting client-side filter expressions to reveal presence/absence of models in a collection, effectively reconstructing the inaccessible field. This arises from read-permission checks not enforcing co...
com.spotify:apollo-elide (>=0.0.1 <=0.0.3), com.yahoo.elide:dropwizard-elide (>=2.3.0 <=3.2.2) +17 more potentially affected by CVE-2020-5289 via com.yahoo.elide:elide-core (>=1.0.0.1 <=4.5.13)
com.yahoo.elide:elide-core MAVEN version =1.0.0.1, =0.0.1, =2.3.0, =1.0.0.8, =1.0.0.6, =1.0.0.6, =1.0.0.6, =4.4.0, =1.0.0.6, =3.0.0, =4.5.0, =1.0.0.1, =1.0.0.1, =1.0.0.1, =4.0-beta-1, =4.5.12, =4.5.13 and more Source cves: CVE-2020-5289 Source advisory: OSV:GHSA-2MXR-89GF-RC4V...