CVE-2021-22134Sensitive Information Exposure in Elasticsearch

CWE-200Sensitive Information ExposureCWE-863Incorrect Authorization7 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 62.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Elastic ElasticsearchOracle Communications Cloud Native Core Automated Test Suite
Timeline
PublishedMar 8
Latest updateMar 18

Description

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

NVDelastic/elasticsearch7.6.07.11.0
CVEListV5elastic/elasticsearchafter 7.6.0 and before 7.11.0

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Exposure of Sensitive Information to an Unauthorized Actor2021-03-18
OSV
Exposure of Sensitive Information to an Unauthorized Actor2021-03-18
OSV
CVE-2021-22134: A document disclosure flaw was found in Elasticsearch versions after 72021-03-08
CVEList
CVE-2021-22134: A document disclosure flaw was found in Elasticsearch versions after 72021-03-08

📋Vendor Advisories

2
Microsoft
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when2021-03-09
Red Hat
elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document2021-03-01
CVE-2021-22134 — Sensitive Information Exposure | cvebase