CVE-2025-12147
BaseFortify
Publication date: 2025-10-29
Last updated on: 2025-10-30
Assigner: floragunn GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| search_guard | flx | 3.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In Search Guard FLX versions 3.1.1 and earlier, Field-Level Security (FLS) rules are not properly enforced on fields that contain objects. While the entire object is excluded from the search results, the individual members or child attributes of that object remain accessible through search queries. This means that even if an object is supposed to be hidden, its contents can still be inferred or reconstructed by an attacker.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data. Although the object itself is excluded from search results, its child attributes remain accessible, allowing adversaries to infer or reconstruct the original contents of the excluded object. This exposure can compromise data confidentiality and potentially lead to data leakage.
What immediate steps should I take to mitigate this vulnerability?
If you cannot upgrade immediately, and you are using Field-Level Security (FLS) exclusion rules for object-valued attributes (like ~object), add an additional exclusion rule for the members of the object (like ~object.*) to properly exclude child attributes and prevent exposure.