GHSA-fj32-6v7m-57pg

Source

https://github.com/advisories/GHSA-fj32-6v7m-57pg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fj32-6v7m-57pg/GHSA-fj32-6v7m-57pg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fj32-6v7m-57pg

Aliases

CVE-2019-7611

Published

2022-05-13T01:14:26Z

Modified

2023-11-08T04:01:38.856498Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Improper Access Control in Elasticsearch

Details

A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dlsfls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.

Database specific

{
    "nvd_published_at": "2019-03-25T19:29:00Z",
    "github_reviewed_at": "2022-06-27T14:25:21Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-284"
    ]
}

References

Affected packages

Maven / org.elasticsearch:elasticsearch

Package

Name: org.elasticsearch:elasticsearch; View open source insights on deps.dev
Purl: pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.15

Affected versions

0.*

0.6.0

0.7.0

0.7.1

0.8.0

0.9.0

0.10.0

0.11.0

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.15.2

0.16.0

0.16.1

0.16.2

0.16.3

0.16.4

0.16.5

0.17.0

0.17.1

0.17.2

0.17.3

0.17.4

0.17.5

0.17.6

0.17.7

0.17.8

0.17.9

0.17.10

0.18.0

0.18.1

0.18.2

0.18.3

0.18.4

0.18.5

0.18.6

0.18.7

0.19.0.RC1

0.19.0.RC2

0.19.0.RC3

0.19.0

0.19.1

0.19.2

0.19.3

0.19.4

0.19.5

0.19.6

0.19.7

0.19.8

0.19.9

0.19.10

0.19.11

0.19.12

0.20.0.RC1

0.20.0

0.20.1

0.20.2

0.20.3

0.20.4

0.20.5

0.20.6

0.90.0.Beta1

0.90.0.RC1

0.90.0.RC2

0.90.0

0.90.1

0.90.2

0.90.3

0.90.4

0.90.5

0.90.6

0.90.7

0.90.8

0.90.9

0.90.10

0.90.11

0.90.12

0.90.13

1.*

1.0.0.Beta1

1.0.0.Beta2

1.0.0.RC1

1.0.0.RC2

1.0.0

1.0.1

1.0.2

1.0.3

1.1.0

1.1.1

1.1.2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.4.0.Beta1

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5.0

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

2.*

2.0.0-beta1

2.0.0-beta2

2.0.0-rc1

2.0.0

2.0.1

2.0.2

2.1.0

2.1.1

2.1.2

2.2.0

2.2.1

2.2.2

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

5.*

5.0.0-alpha1

5.0.0-alpha2

5.0.0-alpha3

5.0.0-alpha4

5.0.0-alpha5

5.0.0-beta1

5.0.0-rc1

5.0.0

5.0.1

5.0.2

5.1.1

5.1.2

5.2.0

5.2.1

5.2.2

5.3.0

5.3.1

5.3.2

5.3.3

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.5.1

5.5.2

5.5.3

5.6.0

5.6.1

5.6.2

5.6.3

5.6.4

5.6.5

5.6.6

5.6.7

5.6.8

5.6.9

5.6.10

5.6.11

5.6.12

5.6.13

5.6.14

Maven / org.elasticsearch:elasticsearch

Package

Name: org.elasticsearch:elasticsearch; View open source insights on deps.dev
Purl: pkg:maven/org.elasticsearch/elasticsearch

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.6.1

Affected versions

6.*

6.0.0

6.0.1

6.1.0

6.1.1

6.1.2

6.1.3

6.1.4

6.2.0

6.2.1

6.2.2

6.2.3

6.2.4

6.3.0

6.3.1

6.3.2

6.4.0

6.4.1

6.4.2

6.4.3

6.5.0

6.5.1

6.5.2

6.5.3

6.5.4

6.6.0