In Elide before 4.5.14, it is possible for an adversary to "guess and check" the value of a model field they do not have access to assuming they can read at least one other field in the model. The adversary can construct filter expressions for an inaccessible field to filter a collection. The presence or absence of models in the returned collection can be used to reconstruct the value of the inaccessible field. Resolved in Elide 4.5.14 and greater.
                
            Metrics
Affected Vendors & Products
References
        History
                    No history.
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2020-03-30T21:20:14
Updated: 2024-08-04T08:22:09.123Z
Reserved: 2020-01-02T00:00:00
Link: CVE-2020-5289
 Vulnrichment
                        Vulnrichment
                    No data.
 NVD
                        NVD
                    Status : Modified
Published: 2020-03-30T22:15:15.463
Modified: 2024-11-21T05:33:50.560
Link: CVE-2020-5289
 Redhat
                        Redhat
                    No data.
 ReportizFlow
ReportizFlow