CVE-2021-22134
published 2021-03-08CVE-2021-22134: A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
1.11%
61.9th percentile
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | 7.6.0 – 7.11.0 | — |
| msrc | cm1_rubygem-elasticsearch_8.2.0-1_on_cbl_mariner_1.0 | — | — |
| oracle | communications_cloud_native_core_automated_test_suite | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_msrc4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor
ghsa·2021-03-18
CVE-2021-22134 [MEDIUM] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
OSV
Exposure of Sensitive Information to an Unauthorized Actor
osv·2021-03-18
CVE-2021-22134 [MEDIUM] Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
OSV
CVE-2021-22134: A document disclosure flaw was found in Elasticsearch versions after 7
osv·2021-03-08·CVSS 4.3
CVE-2021-22134 [MEDIUM] CVE-2021-22134: A document disclosure flaw was found in Elasticsearch versions after 7
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
Microsoft
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when
vendor_msrc·2021-03-09·CVSS 4.3
CVE-2021-22134 [MEDIUM] CWE-863 A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libr
Red Hat
elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document
vendor_redhat·2021-03-01·CVSS 4.3
CVE-2021-22134 [MEDIUM] CWE-863 elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document
elasticsearch: requests do not properly apply security permissions when executing a query against a recently updated document
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
A flaw was found in elasticsearch. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet ref
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835https://security.netapp.com/advisory/ntap-20210430-0006/https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835https://security.netapp.com/advisory/ntap-20210430-0006/https://www.oracle.com/security-alerts/cpuapr2022.html
2021-03-08
Published