CVE-2021-22134 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=7.6.0 <7.11.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00246 pctl0.47772

Details

Exposure of Sensitive Information to an Unauthorized Actor A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

Metadata

Created: 2021-03-18T19:23:57Z
Modified: 2022-04-22T16:50:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-hwvv-438r-mhvj/GHSA-hwvv-438r-mhvj.json
CWE IDs: ["CWE-200", "CWE-863"]
Alternative ID: GHSA-hwvv-438r-mhvj
Finding: F038
Auto approve: 1