Information Disclosure Affecting org.elasticsearch.plugin:x-pack package, versions [7.0.0,7.9.0) [6.0.0,6.8.12)


0.0
medium
  • Attack Complexity

    High

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGELASTICSEARCHPLUGIN-607917

  • published

    20 Aug 2020

  • disclosed

    18 Aug 2020

  • credit

    Unknown

How to fix?

Upgrade org.elasticsearch.plugin:x-pack to version 7.9.0, 6.8.12 or higher.

Overview

org.elasticsearch.plugin:x-pack is an Elasticsearch Expanded Pack Plugin

Affected versions of this package are vulnerable to Information Disclosure. A field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.