cvelist/2020/5xxx/CVE-2020-5289.json

{
    "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-5289",
        "STATE": "PUBLIC",
        "TITLE": "Read permissions not enforced for client provided filter expressions in Elide http client"
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "product": {
                        "product_data": [
                            {
                                "product_name": "elide",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_value": "< 4.5.14"
                                        }
                                    ]
                                }
                            }
                        ]
                    },
                    "vendor_name": "yahoo"
                }
            ]
        }
    },
    "data_format": "MITRE",
    "data_type": "CVE",
    "data_version": "4.0",
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In Elide before 4.5.14, it is possible for an adversary to \"guess and check\" the value of a model field they do not have access to assuming they can read at least one other field in the model.\nThe adversary can construct filter expressions for an inaccessible field to filter a collection.\nThe presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field.\n\nResolved in Elide 4.5.14 and greater."
            }
        ]
    },
    "impact": {
        "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
        }
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-285: Improper Authorization"
                    }
                ]
            }
        ]
    },
    "references": {
        "reference_data": [
            {
                "name": "https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v",
                "refsource": "CONFIRM",
                "url": "https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v"
            },
            {
                "name": "https://github.com/yahoo/elide/pull/1236",
                "refsource": "MISC",
                "url": "https://github.com/yahoo/elide/pull/1236"
            },
            {
                "name": "https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc",
                "refsource": "MISC",
                "url": "https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc"
            }
        ]
    },
    "source": {
        "advisory": "GHSA-2mxr-89gf-rc4v",
        "discovery": "UNKNOWN"
    }
}
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`{`
			`"CVE_data_meta": {`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`"ASSIGNER": "security-advisories@github.com",`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`"ID": "CVE-2020-5289",`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`"STATE": "PUBLIC",`
			`"TITLE": "Read permissions not enforced for client provided filter expressions in Elide http client"`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`},`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "elide",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_value": "< 4.5.14"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name": "yahoo"`
			`}`
			`]`
			`}`
			`},`
			`"data_format": "MITRE",`
			`"data_type": "CVE",`
			`"data_version": "4.0",`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`"value": "In Elide before 4.5.14, it is possible for an adversary to \"guess and check\" the value of a model field they do not have access to assuming they can read at least one other field in the model.\nThe adversary can construct filter expressions for an inaccessible field to filter a collection.\nThe presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field.\n\nResolved in Elide 4.5.14 and greater."`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`}`
			`]`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`},`
			`"impact": {`
			`"cvss": {`
			`"attackComplexity": "LOW",`
			`"attackVector": "NETWORK",`
			`"availabilityImpact": "NONE",`
			`"baseScore": 6.8,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "NONE",`
			`"privilegesRequired": "LOW",`
			`"scope": "CHANGED",`
			`"userInteraction": "REQUIRED",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",`
			`"version": "3.1"`
			`}`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-285: Improper Authorization"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
			`"name": "https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v",`
			`"refsource": "CONFIRM",`
			`"url": "https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v"`
			`},`
			`{`
			`"name": "https://github.com/yahoo/elide/pull/1236",`
			`"refsource": "MISC",`
			`"url": "https://github.com/yahoo/elide/pull/1236"`
			`},`
			`{`
			`"name": "https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc",`
			`"refsource": "MISC",`
			`"url": "https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc"`
			`}`
			`]`
			`},`
			`"source": {`
			`"advisory": "GHSA-2mxr-89gf-rc4v",`
			`"discovery": "UNKNOWN"`
"-Synchronized-Data." 2020-01-02 21:01:04 +00:00			`}`
add CVE-2020-5289 for GHSA-2mxr-89gf-rc4v 2020-03-30 15:13:34 -06:00			`}`