CVE-2021-22144Uncontrolled Recursion in Elasticsearch

CWE-674Uncontrolled Recursion8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 56.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Elastic ElasticsearchOracle Communications Cloud Native Core Automated Test Suite
Timeline
PublishedJul 26
Latest updateOct 15

Description

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDelastic/elasticsearch7.0.07.13.3+1

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Denial of Service in Elasticsearch2021-08-09
GHSA
Denial of Service in Elasticsearch2021-08-09
CVEList
CVE-2021-22144: In Elasticsearch versions before 72021-07-26
OSV
CVE-2021-22144: In Elasticsearch versions before 72021-07-26

📋Vendor Advisories

3
Oracle
Oracle Oracle PeopleSoft Risk Matrix: Elastic Search (Grok Parser) — CVE-2021-221442022-10-15
Microsoft
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with th2021-07-13
Red Hat
elasticsearch: uncontrolled recursion in Grok parser2021-07-07
CVE-2021-22144 — Uncontrolled Recursion in Elastic | cvebase