Information Disclosure Affecting org.elasticsearch.plugin:x-pack Open this link in a new tab package, versions [7.0.0,7.9.0) [6.0.0,6.8.12)

  • Attack Complexity


  • Confidentiality


Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id


  • published

    20 Aug 2020

  • disclosed

    18 Aug 2020

  • credit


How to fix?

Upgrade org.elasticsearch.plugin:x-pack to version 7.9.0, 6.8.12 or higher.


org.elasticsearch.plugin:x-pack is an Elasticsearch Expanded Pack Plugin

Affected versions of this package are vulnerable to Information Disclosure. A field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.