Vulnerability Description
In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elide | Elide | < 4.5.14 |
Related Weaknesses (CWE)
References
- https://github.com/yahoo/elide/pull/1236PatchThird Party Advisory
- https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc90433709639Patch
- https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4vThird Party Advisory
- https://github.com/yahoo/elide/pull/1236PatchThird Party Advisory
- https://github.com/yahoo/elide/pull/1236/commits/a985f0f9c448aabe70bc90433709639Patch
- https://github.com/yahoo/elide/security/advisories/GHSA-2mxr-89gf-rc4vThird Party Advisory
FAQ
What is CVE-2020-5289?
CVE-2020-5289 is a vulnerability with a CVSS score of 6.8 (MEDIUM). In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adv...
How severe is CVE-2020-5289?
CVE-2020-5289 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5289?
Check the references section above for vendor advisories and patch information. Affected products include: Elide Elide.