Comment 7 for bug 1840201

Information for the security forum post:

Vulnerability type: Incorrect access control
Attack type: Remote
Impact: Information disclosure
Affected: Elasticsearch implementation in Mahara

In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before 19.10.2, file metadata information is disclosed to group members in the Elasticsearch result list despite them not having access to to that information any more.

Reference: https://bugs.launchpad.net/mahara/+bug/1840201
Credit: Lisa Seeto and Robert Lyon (Catalyst IT)

CVE: CVE-2020-9386
(link CVE number to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-9386 )