CVE-2021-22144

Published: Jul 26, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

Affected (3)

Products: Elastic: Elasticsearch · Oracle: Communications Cloud Native Core Automated Test Suite

1 product

1 product

Communications Cloud Native Core Automated Test Suite

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	Before 6.8.17
Elastic Elasticsearch	From 7.0.0 to 7.13.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Automated Test Suite	Version 1.8.0

Related CWEs

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

References (6)

https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100

Source: security@elastic.co

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20210827-0006/

Source: security@elastic.co

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security@elastic.co

PatchThird Party Advisory

https://discuss.elastic.co/t/elasticsearch-7-13-3-and-6-8-17-security-update/278100

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20210827-0006/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.