Vulnerabilities > CVE-2020-5289 - Files or Directories Accessible to External Parties vulnerability in Elide

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
elide
CWE-552
NVD
Published: 2020-03-30
Updated: 2020-04-01

Summary

In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater.

Vulnerable Configurations

Part Description Count
Application
Elide
154

Common Weakness Enumeration (CWE)

References