From c7c45ed1e1a498b1435182e31c856d793f961ca3 Mon Sep 17 00:00:00 2001 From: Josh Bressers Date: Tue, 18 Aug 2020 11:35:27 -0500 Subject: [PATCH] Update CVE IDs for Elastic 7.9.0/6.8.12 release --- 2020/7xxx/CVE-2020-7018.json | 60 ++++++++++++++++++++++++++++++------ 2020/7xxx/CVE-2020-7019.json | 60 ++++++++++++++++++++++++++++++------ 2 files changed, 102 insertions(+), 18 deletions(-) diff --git a/2020/7xxx/CVE-2020-7018.json b/2020/7xxx/CVE-2020-7018.json index c172a92f464..0f70b9e587b 100644 --- a/2020/7xxx/CVE-2020-7018.json +++ b/2020/7xxx/CVE-2020-7018.json @@ -3,16 +3,58 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "bressers@elastic.co", "ID": "CVE-2020-7018", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Elastic", + "product": { + "product_data": [ + { + "product_name": "Elastic Enterprise Search", + "version": { + "version_data": [ + { + "version_value": "before 7.9.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-266: Incorrect Privilege Assignment" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://discuss.elastic.co/t/enterprise-search-7-9-0-security-update/245457" + } + ] }, "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "description_data": [ + { + "lang": "eng", + "value": "Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. If a user is given the �developer� role, they will be able to view the administrator API credentials. These credentials could allow the developer user to conduct operations with the same permissions of the App Search administrator." + } + ] } -} \ No newline at end of file +} diff --git a/2020/7xxx/CVE-2020-7019.json b/2020/7xxx/CVE-2020-7019.json index bc2321ca583..66c99575f86 100644 --- a/2020/7xxx/CVE-2020-7019.json +++ b/2020/7xxx/CVE-2020-7019.json @@ -3,16 +3,58 @@ "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "bressers@elastic.co", "ID": "CVE-2020-7019", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC" + }, + "affects": { + "vendor": { + "vendor_data": [ + { + "vendor_name": "Elastic", + "product": { + "product_data": [ + { + "product_name": "Elasticsearch", + "version": { + "version_data": [ + { + "version_value": "before 7.9.0" + } + ] + } + } + ] + } + } + ] + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-270: Privilege Context Switching Error" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "url": "https://discuss.elastic.co/t/elastic-stack-7-9-0-and-6-8-12-security-update/245456" + } + ] }, "description": { - "description_data": [ - { - "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." - } - ] + "description_data": [ + { + "lang": "eng", + "value": "In Elasticsearch before 7.9.0 and 6.8.12 a field disclosure flaw was found when running a scrolling search with Field Level Security. If a user runs the same query another more privileged user recently ran, the scrolling search can leak fields that should be hidden. This could result in an attacker gaining additional permissions against a restricted index." + } + ] } -} \ No newline at end of file +}