PT-2021-14863 · Elastic · Elasticsearch
Published
2021-05-13
·
Updated
2024-03-06
·
CVE-2021-22135
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Elasticsearch versions prior to 7.11.2
Elasticsearch versions prior to 6.8.15
Description
A document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. Normally, the suggester and profile API are disabled for an index when document level security is enabled on the index. However, certain queries can enable the profiler and suggester, potentially disclosing the existence of documents and fields that the attacker should not be able to view.
Recommendations
For Elasticsearch versions prior to 7.11.2, update to version 7.11.2 or later.
For Elasticsearch versions prior to 6.8.15, update to version 6.8.15 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elasticsearch