{"api_version":"1","generated_at":"2026-04-23T04:10:33+00:00","cve":"CVE-2019-13417","urls":{"html":"https://cve.report/CVE-2019-13417","api":"https://cve.report/api/cve/CVE-2019-13417.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-13417","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-13417"},"summary":{"title":"CVE-2019-13417","description":"Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.","state":"PUBLIC","assigner":"security@search-guard.com","published_at":"2019-08-12 21:15:00","updated_at":"2023-03-02 17:59:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0","name":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0","refsource":"CONFIRM","tags":["Release Notes","Vendor Advisory"],"title":"Search Guard 6.x-24.0 | Elasticsearch Security | Search Guard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://search-guard.com/cve-advisory/","name":"https://search-guard.com/cve-advisory/","refsource":"MISC","tags":["Vendor Advisory"],"title":"CVE - advisory - Search Guard","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-13417","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13417","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"13417","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"search-guard","cpe5":"search_guard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"13417","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"search-guard","cpe5":"search_guard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"security@search-guard.com","ID":"CVE-2019-13417","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Search Guard","version":{"version_data":[{"version_affected":"<","version_value":"24.0"}]}}]},"vendor_name":"floragunn"}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-863: Incorrect Authorization"}]}]},"references":{"reference_data":[{"url":"https://search-guard.com/cve-advisory/","refsource":"MISC","name":"https://search-guard.com/cve-advisory/"},{"refsource":"CONFIRM","url":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0","name":"https://docs.search-guard.com/6.x-25/changelog-searchguard-6-x-24_0"}]},"description":{"description_data":[{"lang":"eng","value":"Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated."}]}},"nvd":{"publishedDate":"2019-08-12 21:15:00","lastModifiedDate":"2023-03-02 17:59:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:search-guard:search_guard:*:*:*:*:*:*:*:*","versionEndExcluding":"24.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"13417","Ordinal":"151776","Title":"CVE-2019-13417","CVE":"CVE-2019-13417","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"13417","Ordinal":"1","NoteData":"Search Guard versions before 24.0 had an issue that field caps and mapping API leak field names (but not values) for fields which are not allowed for the user when field level security (FLS) is activated.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"13417","Ordinal":"2","NoteData":"2019-08-12","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"13417","Ordinal":"3","NoteData":"2019-08-12","Type":"Other","Title":"Modified"}]}}}