{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2020-7014","title":"Title"},{"category":"description","text":"The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2020-7014","url":"https://www.suse.com/security/cve/CVE-2020-7014"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1172508 for CVE-2020-7014","url":"https://bugzilla.suse.com/1172508"}],"title":"SUSE CVE CVE-2020-7014","tracking":{"current_release_date":"2025-04-25T05:44:08Z","generator":{"date":"2023-02-15T04:02:01Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2020-7014","initial_release_date":"2023-02-15T04:02:01Z","revision_history":[{"date":"2023-02-15T04:02:01Z","number":"2","summary":"Current version"},{"date":"2025-01-01T05:52:08Z","number":"3","summary":"Current version"},{"date":"2025-02-15T06:29:10Z","number":"4","summary":"Current version"},{"date":"2025-02-17T06:50:37Z","number":"5","summary":"Current version"},{"date":"2025-03-15T10:10:36Z","number":"6","summary":"Current version"},{"date":"2025-04-25T05:44:08Z","number":"7","summary":"Current version"}],"status":"interim","version":"7"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"HPE Helion OpenStack 8","product":{"name":"HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8","product_identification_helper":{"cpe":"cpe:/o:suse:hpe-helion-openstack:8"}}},{"category":"product_name","name":"HPE Helion OpenStack Cloud 8","product":{"name":"HPE Helion OpenStack Cloud 8","product_id":"HPE Helion OpenStack Cloud 8"}},{"category":"product_name","name":"SUSE OpenStack Cloud 7","product":{"name":"SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:7"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 8","product":{"name":"SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud 9","product":{"name":"SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud:9"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"elasticsearch","product":{"name":"elasticsearch","product_id":"elasticsearch","product_identification_helper":{"cpe":"cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/elasticsearch@?upstream=elasticsearch.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of HPE Helion OpenStack 8","product_id":"HPE Helion OpenStack 8:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"HPE Helion OpenStack 8"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of HPE Helion OpenStack Cloud 8","product_id":"HPE Helion OpenStack Cloud 8:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"HPE Helion OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of SUSE OpenStack Cloud 7","product_id":"SUSE OpenStack Cloud 7:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"SUSE OpenStack Cloud 7"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of SUSE OpenStack Cloud 8","product_id":"SUSE OpenStack Cloud 8:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"SUSE OpenStack Cloud 8"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of SUSE OpenStack Cloud 9","product_id":"SUSE OpenStack Cloud 9:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"SUSE OpenStack Cloud 9"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"elasticsearch as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:elasticsearch"},"product_reference":"elasticsearch","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2020-7014","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2020-7014"}],"notes":[{"category":"general","text":"The fix for CVE-2020-7009 was found to be incomplete. Elasticsearch versions from 6.7.0 to 6.8.7 and 7.0.0 to 7.6.1 contain a privilege escalation flaw if an attacker is able to create API keys and also authentication tokens. An attacker who is able to generate an API key and an authentication token can perform a series of steps that result in an authentication token being generated with elevated privileges.","title":"CVE description"}],"product_status":{"known_not_affected":["HPE Helion OpenStack 8:elasticsearch","HPE Helion OpenStack Cloud 8:elasticsearch","SUSE OpenStack Cloud 7:elasticsearch","SUSE OpenStack Cloud 8:elasticsearch","SUSE OpenStack Cloud 9:elasticsearch","SUSE OpenStack Cloud Crowbar 8:elasticsearch","SUSE OpenStack Cloud Crowbar 9:elasticsearch"]},"references":[{"category":"external","summary":"CVE-2020-7014","url":"https://www.suse.com/security/cve/CVE-2020-7014"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1172508 for CVE-2020-7014","url":"https://bugzilla.suse.com/1172508"}],"threats":[{"category":"impact","date":"2020-06-03T22:42:15Z","details":"important"}],"title":"CVE-2020-7014"}]}