PT-2021-14865 · Elastic · Elasticsearch

Piotr Dłubisz

Published

2021-05-13

Updated

2024-03-06

CVE-2021-22137

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Elasticsearch versions prior to 7.11.2 Elasticsearch versions prior to 6.8.15

Description A document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view, potentially giving the attacker additional insight into sensitive indices.

Recommendations For versions prior to 7.11.2, update to version 7.11.2 or later to resolve the issue. For versions prior to 6.8.15, update to version 6.8.15 or later to resolve the issue.

Fix

Information Disclosure

Improper Preservation of Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-281

Related Identifiers

BIT-ELASTICSEARCH-2021-22137

CVE-2021-22137

GHSA-HR65-QQ6P-87R4

Affected Products

Elasticsearch

PT-2021-14865 · Elastic · Elasticsearch

CVE-2021-22137

Weakness Enumeration

Related Identifiers

Affected Products

References · 10