cbcvebase.
CVE-2021-22146
published 2021-07-21

CVE-2021-22146: All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the…

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
27.79%
97.8th percentile
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Affected

1 ranges
VendorProductVersion rangeFixed in
elasticelasticsearch

Detection & IOCsextracted from sources · hover to see the quote

port9200
port9201
  • Monitor for high-volume sequential POST requests to /_bulk with incrementing numeric _id values and no Authorization header, indicative of automated enumeration/dump activity.
  • Alert on any successful Elasticsearch API responses returned to requests made by the built-in 'anonymous' user, as this user should have no permissions and any successful query indicates misconfiguration or exploitation.
  • ·The exploit targets ECE versions >= 7.10.0 to <= 7.13.3. Deployments within this range are confirmed vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.