CVE-2021-22147
published 2021-09-15CVE-2021-22147: Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to…
PriorityP433medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
1.00%
58.6th percentile
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | >= 7.11.0 < 7.14.0 | 7.14.0 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of sensitive information in Elasticsearch
osv·2021-09-20
CVE-2021-22147 [MEDIUM] Exposure of sensitive information in Elasticsearch
Exposure of sensitive information in Elasticsearch
A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
GHSA
Exposure of sensitive information in Elasticsearch
ghsa·2021-09-20
CVE-2021-22147 [MEDIUM] CWE-732 Exposure of sensitive information in Elasticsearch
Exposure of sensitive information in Elasticsearch
A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
OSV
CVE-2021-22147: Elasticsearch before 7
osv·2021-09-15·CVSS 6.5
CVE-2021-22147 [MEDIUM] CVE-2021-22147: Elasticsearch before 7
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Red Hat
elasticsearch: document and field level security was not applied to searchable snapshots
vendor_redhat·2021-08-03·CVSS 6.5
CVE-2021-22147 [MEDIUM] CWE-200 elasticsearch: document and field level security was not applied to searchable snapshots
elasticsearch: document and field level security was not applied to searchable snapshots
Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Statement: Searchable snapshots feature is only available with enterprise subscription. Opensource version of elasticsearch does not include the searchable snapshots feature and hence not affected by this vulnerability.
Package: openshift-logging/elasticsearch6-rhel8 (Logging Subsystem for Red Hat OpenShift) - Not affected
Package: servicemesh-grafana (OpenShift Service Mesh 1) - Not affected
Package: servicemesh-grafana (OpenShift Service Mesh 2.0) - Not affected
Package: elasticsearch (Red
No detection rules found.
No public exploits indexed.
https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344https://security.netapp.com/advisory/ntap-20211008-0002/https://www.elastic.co/community/security/https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344https://security.netapp.com/advisory/ntap-20211008-0002/https://www.elastic.co/community/security/
2021-09-15
Published