CVE-2019-7611

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-7611

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-7611.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-7611

Aliases

GHSA-fj32-6v7m-57pg

Published

2019-03-25T19:29:02Z

Modified

2024-09-02T23:07:10Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dlsfls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type: GIT
Repo: https://github.com/elastic/elasticsearch
Events: Introduced

8f0685b924b9159807704ec2593b26e28105da44

Fixed

1fd8f691bf2e467057b864eea9103a6e3345af3e