6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5289

GHSA ID

GHSA-2mxr-89gf-rc4v

EPSS Score

0.54789%

CWE

CWE-285

Published

3/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-5289

CVE-2020-5289: Read permissions not enforced for client provided filter expressions in Elide.

Impact

It is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field.

For example, a User model has two fields: name and role. The adversary has read permissions to see the name field of the User collection but not the role. By constructing a filter like the one below, the adversary can determine which users have admin role by presence or absence in the returned collection: filter=role=="Admin"

Patches

Resolved in Elide 4.5.14 and greater.

Workarounds

The adversary can only access the fields if a model includes fields with different read permission levels (some less secure and some more secure). Model security can be adjusted by restricting read permissions on existing models.

References

Fixed in https://github.com/yahoo/elide/pull/1236

For more information

If you have any questions or comments about this advisory:

Open an issue in elide
Contact us at spectrum

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-5289

GHSA ID

GHSA-2mxr-89gf-rc4v

EPSS Score

0.54789%

CWE

CWE-285

Published

3/30/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.yahoo.elide:elide-core	maven	< 4.5.14	4.5.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing ReadPermission enforcement during filter expression processing. The fix introduced EnforceJoinFilterExpressionVisitor to validate() field accessibility, and modified RequestScope.getLoadFilterExpression to use it. The original implementations of these functions lacked the permission checks, as evidenced by the PR's focus on adding visitor-based enforcement and refactoring filter construction logic. The high confidence comes from the explicit security-focused changes in the referenced pull request and commit messages.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* *or *n **v*rs*ry to "*u*ss *n* ****k" t** v*lu* o* * mo**l *i*l* t**y *o not **v* ****ss to *ssumin* t**y **n r*** *t l**st on* ot**r *i*l* in t** mo**l. T** **v*rs*ry **n *onstru*t *ilt*r *xpr*ssions *or *n in****ssi*l* *i

Reasoning

T** vuln*r**ility st*mm** *rom missin* R***P*rmission *n*or**m*nt *urin* *ilt*r *xpr*ssion pro**ssin*. T** *ix intro*u*** `*n*or**Join*ilt*r*xpr*ssionVisitor` to `v*li**t*()` *i*l* ****ssi*ility, *n* mo*i*i** `R*qu*stS*op*.**tLo***ilt*r*xpr*ssion` to

6.8

Basic Information

Concerned about an active attack path?

CVE-2020-5289: Read permissions not enforced for client provided filter expressions in Elide.

Impact

Patches

Workarounds

References

For more information

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI