Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 737958 (CVE-2020-7019) - <app-misc/elasticsearch-{6.8.12, 7.9.0}: Access restriction bypass (CVE-2020-7019)
Summary: <app-misc/elasticsearch-{6.8.12, 7.9.0}: Access restriction bypass (CVE-2020-...
Status: IN_PROGRESS
Alias: CVE-2020-7019
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://discuss.elastic.co/t/elastic-...
Whiteboard: ~4 [cleanup]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-08-19 00:11 UTC by John Helmert III (ajak)
Modified: 2020-09-20 16:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-08-19 00:11:28 UTC
CVE-2020-7019:

A field disclosure flaw was found in Elasticsearch when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index.

All versions of Elasticsearch before 7.9.0 and 6.8.12 are affected by this flaw.


Maintainer, please bump and if possible add slots to differentiate between branches.
Comment 1 Larry the Git Cow gentoo-dev 2020-08-30 21:46:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3168257126a49b7f613b034a136e689c47442cb

commit b3168257126a49b7f613b034a136e689c47442cb
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2020-08-28 04:20:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-08-30 21:46:31 +0000

    app-misc/elasticsearch: bump to 6.8.12/7.9.0
    
    Bug: https://bugs.gentoo.org/737958
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-misc/elasticsearch/Manifest                    |  4 +
 app-misc/elasticsearch/elasticsearch-6.8.12.ebuild | 88 ++++++++++++++++++++++
 app-misc/elasticsearch/elasticsearch-7.9.0.ebuild  | 83 ++++++++++++++++++++
 3 files changed, 175 insertions(+)
Comment 2 Sam James archtester gentoo-dev Security 2020-08-30 22:46:42 UTC
Please cleanup.
Comment 3 Tomáš Mózes 2020-08-31 05:56:42 UTC
Pretty annoying regression in kibana 7.9.0, sadly you cannot revert back once you upgrade to it:

https://github.com/elastic/kibana/issues/76227
Comment 4 John Helmert III (ajak) 2020-09-20 16:02:27 UTC
Ping