CVE-2021-22145 – ElasticSearch 7.13.3 - Memory disclosure

https://notcve.org/view.php?id=CVE-2021-22145

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details. Se ha identificado una vulnerabilidad de divulgación de memoria en los informes de errores de Elasticsearch versiones 7.10.0 hasta 7.13.3. Un usuario con la habilidad de enviar consultas arbitrarias a Elasticsearch podría enviar una consulta malformada que resultaría en un mensaje de error devuelto conteniendo porciones previamente usadas de un buffer de datos. • https://www.exploit-db.com/exploits/50149 https://github.com/niceeeeeeee/CVE-2021-22145-poc http://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177 https://security.netapp.com/advisory/ntap-20210827-0006 https://www.oracle.com/security-alerts/cpuapr2022.html • CWE-209: Generation of Error Message Containing Sensitive Information •