CVE-2021-22147 — Incorrect Permission Assignment in Elasticsearch

CWE-732 — Incorrect Permission Assignment CWE-862 — Missing Authorization CWE-200 — Sensitive Information Exposure6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Elasticsearch

Timeline

PublishedSep 15

Latest updateSep 20

Description

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDelastic/elasticsearch7.11.0 — 7.14.0

▶CVEListV5elastic/elasticsearchversions 7.11.0 to 7.13.4

🔴Vulnerability Details

OSV

Exposure of sensitive information in Elasticsearch↗2021-09-20

▶

GHSA

Exposure of sensitive information in Elasticsearch↗2021-09-20

▶

OSV

CVE-2021-22147: Elasticsearch before 7↗2021-09-15

▶

CVEList

CVE-2021-22147: Elasticsearch before 7↗2021-09-15

▶

📋Vendor Advisories

Red Hat

elasticsearch: document and field level security was not applied to searchable snapshots↗2021-08-03

▶