Vulnerabilities > CVE-2020-5289 - Files or Directories Accessible to External Parties vulnerability in Elide
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/yahoo/elide/pull/1236
- https://github.com/yahoo/elide/pull/1236
- https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc
- https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc904337096399de4576dc
- https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v
- https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4v