Elasticsearch field disclosure flaw (ESA-2020-13)
A document disclosure flaw was found in Elasticsearch when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.
Thanks to Robert Coe, CTO at AcuityMD for reporting this issue.
Affected Versions:
All versions of Elasticsearch before 7.9.2 and 6.8.13 are affected by this flaw
Solutions and Mitigations:
Anyone using Document or Field Level Security should upgrade to Elasticsearch version 7.9.2 or 6.8.13. There is no known workaround for this flaw.
CVSSv3 - 3.1:AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE ID: CVE-2020-7020
Enterprise Search certificate verification flaw (ESA-2020-14)
A TLS certificate validation flaw in the Atlassian connector was found in the oauth-ruby library used by Elastic Enterprise Search versions before 7.9.3.
When configuring Enterprise Search to connect to a Confluence Server, Jira Server, Confluence Cloud, or Jira Cloud the TLS certificate will not be properly verified by the oauth-ruby library. This could result in a man in the middle style attack against Enterprise Search connecting to an Atlassian service.
Affected Versions:
All versions of Elasticsearch Enterprise Search before 7.9.3 are affected by this flaw
Solutions and Mitigations:
Anyone using Atlassian connectors should upgrade to Enterprise Search version 7.9.3. There is no known workaround for this flaw.
CVSSv3 - 4.2:AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVE ID: CVE-2016-11086