cbcvebase.
CVE-2021-22145
published 2021-07-21

CVE-2021-22145: A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to…

PriorityP263medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EXPLOIT
EPSS
76.25%
99.5th percentile
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Affected

2 ranges
VendorProductVersion rangeFixed in
elasticelasticsearch7.10.0 – 7.13.3
oraclecommunications_cloud_native_core_automated_test_suite

Detection & IOCsextracted from sources · hover to see the quote

url/_bulk
commandPOST /_bulk
bytes
@\n
  • POST request to /_bulk endpoint with a single '@' character as the body and Content-Type: application/json triggers the memory disclosure. Look for HTTP 400 responses containing 'root_cause', 'truncated', and 'reason' fields simultaneously.
  • Memory leak content is extracted from the error response JSON at paths error.root_cause[0].reason and error.reason, specifically the substring between '(byte[])"' and '; line'. Monitor Elasticsearch error responses for unexpected data in these fields.
  • FOFA/Shodan fingerprint query 'index_not_found_exception' can be used to identify exposed Elasticsearch instances potentially targeted by this CVE.
  • Affected versions are strictly Elasticsearch 7.10.0 through 7.13.3 inclusive. Version checks against the GET / endpoint JSON field version.number can confirm exposure.
  • ·The exploit supports both API Key (Bearer ApiKey) and HTTP Basic authentication headers, meaning authenticated Elasticsearch instances are also exploitable if the attacker has valid credentials.
  • ·The vulnerability requires only low-privilege access — any user able to submit arbitrary queries is sufficient to trigger the memory disclosure; no admin rights are needed.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.