Document Disclosure Flaw in Elasticsearch by Elastic
CVE-2021-22134

4.3MEDIUM

Key Information:

Vendor
Elastic
Status
Elasticsearch
Vendor
CVE Published:
8 March 2021

Summary

A document disclosure vulnerability in Elasticsearch affects versions after 7.6.0 and before 7.11.0, specifically when using Document or Field Level Security. This flaw allows for GET requests to bypass security permissions when querying documents that have been recently updated but not yet refreshed in the index. Consequently, attackers may gain visibility into documents and fields that they should not have access to, potentially leading to unauthorized disclosure of sensitive information.

Affected Version(s)

Elasticsearch after 7.6.0 and before 7.11.0

References

https://discuss.elastic.co/t/elastic-stack-7-11-0-securit...
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210430-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.