Impact
Elide up to version 7.1.17 does not enforce the @ReadPermission annotation on client‑supplied sort expressions evaluated in SortingImpl.getValidSortingRules. When a malicious user supplies a sort parameter that includes a field they lack read permission for, the framework still sorts the returned collection by that field. This ability to sort on hidden fields enables the attacker to infer the relative ordering of values in that field across all rows, effectively leaking information about the value distribution even though the field is otherwise protected.
Affected Systems
The affected product is Yahoo’s Elide framework, by vendor Yahoo, in all releases up to and including 7.1.17. Users running any of those versions should verify their installation version and plan an upgrade to a later release that addresses this issue.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity for this vulnerability. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, no current evidence of exploitation exists, but the attack vector is likely an API or GraphQL request that contains a sort parameter. An attacker who can trigger sorting on a restricted field can observe the row ordering to derive relative field values, thereby violating confidentiality for sensitive data hidden by @ReadPermission.
OpenCVE Enrichment