Forums | Mahara Community

Security Announcements /
Security issue relating to incorrect access control in Elasticsearch results <18.10.5, <19.04.4, <19.10.2


This topic is closed. Only moderators and the group administrators can post new replies.
Kristina Hoeppner's profile picture
Posts: 4053

04 March 2020, 18:38

Vulnerability type: Incorrect access control
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to that information any more.

Reference: Launchpad bug 1840201
Credit: Lisa Seeto and Robert Lyon (Catalyst IT)
CVE reference: CVE-2020-9386

Get the latest releases from our Git repository. You can also download them from Launchpad:

Edits to this post:
1 result