CVE-2021-22135

Published: May 13, 2021Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

Affected (2)

Products: Elastic: Elasticsearch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	Before 6.8.15
Elastic Elasticsearch	From 7.11.0 to 7.11.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125

Source: security@elastic.co

Vendor Advisory

https://security.netapp.com/advisory/ntap-20210625-0003/

Source: security@elastic.co

Third Party Advisory

https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20210625-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.