Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unauthorized access to fields protected by Field-Level Security (FLS) when those fields are members of an object
Vulnerability Description
In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are improperly enforced on object-valued fields. When an FLS exclusion rule (e.g., ~field) is applied to a field which contains an object as its value, the object is correctly removed from the _source returned by search operations. However, the object members (i.e., child attributes) remain accessible to search queries. This exposure allows adversaries to infer or reconstruct the original contents of the excluded object. Workaround - If you cannot upgrade immediately and FLS exclusion rules are used for object valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*).
CVSS Information
N/A
Vulnerability Type
信息暴露
Vulnerability Title
Floragunn Search Guard FLX 安全漏洞
Vulnerability Description
Floragunn Search Guard FLX是德国Floragunn公司的一款用于保护Elastic Search的安全组件。 Floragunn Search Guard FLX 3.1.1及之前版本存在安全漏洞,该漏洞源于对象值字段的字段级安全规则执行不当,可能导致攻击者推断或重建被排除对象的原始内容。
CVSS Information
N/A
Vulnerability Type
N/A