CVE-2021-22135

13.05.2021, 18:15

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
elastic	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 57%

Vendor	Product	Version
elastic	elasticsearch	𝑥 < 6.8.15
elastic	elasticsearch	7.11.0 ≤ 𝑥 < 7.11.2

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

elasticsearch

noble	dne
mantic	dne
lunar	dne
kinetic	dne
jammy	dne
impish	dne
hirsute	dne
groovy	dne
focal	dne
bionic	dne
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125

https://security.netapp.com/advisory/ntap-20210625-0003/

https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125

https://security.netapp.com/advisory/ntap-20210625-0003/