CVE-2021-37940

An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Search Github Enterprise Server integration. Using this vulnerability, a malicious Workplace Search admin could use the GHES integration to view hosts that might not be publicly accessible.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
elasticCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
elasticenterprise_search
𝑥
< 7.16.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://discuss.elastic.co/t/enterprise-search-7-16-0-security-update/291146
https://discuss.elastic.co/t/enterprise-search-7-16-0-security-update/291146