CVE-2020-5289: 
Java vulnerability analysis and mitigation

CVE-2020-5289 affects Elide versions before 4.5.14. The vulnerability was discovered and disclosed on March 30, 2020. The issue allows an adversary to bypass read permissions on model fields by exploiting filter expressions in the API (GitHub Advisory).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper authorization (CWE-285) where read permissions are not properly enforced for client-provided filter expressions. When a model includes fields with different read permission levels, an attacker can construct filter expressions for inaccessible fields to filter collections (NVD).

An adversary can 'guess and check' the value of a model field they do not have access to, assuming they can read at least one other field in the model. By constructing filter expressions for an inaccessible field and observing the presence or absence of models in the returned collection, attackers can reconstruct the value of the inaccessible field (GitHub Advisory).

The vulnerability was patched in Elide version 4.5.14. As a workaround, model security can be adjusted by restricting read permissions on existing models to ensure all fields have the same permission level (GitHub Advisory).