CVE-2021-22134

low-risk

Published 2021-03-08

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

Do I need to act?

0.17% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Elasticsearch

Communications Cloud Native Core Automated Test Suite

Affected Vendors

Oracle Elastic

References (6)

Release Notes https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835

Third Party Advisory https://security.netapp.com/advisory/ntap-20210430-0006/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Release Notes https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835

Third Party Advisory https://security.netapp.com/advisory/ntap-20210430-0006/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 7/34 · Low