CVE-2021-22134
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
Se encontró un fallo en una divulgación de documentos en Elasticsearch versiones posteriores a 7.6.0 y versiones anteriores a 7.11.0, cuando es usada el Nivel de Seguridad de Documento o Campo. Las peticiones Get no aplican apropiadamente unos permisos de seguridad cuando se ejecuta una consulta contra un documento recientemente actualizado. Esto afecta a los documentos que han sido actualizados y aún no se han refrescado en el índice. Esto podría resultar en la búsqueda divulgue la existencia de documentos y campos que el atacante no debería poder visualizar
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-04 CVE Reserved
- 2021-03-08 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-863: Incorrect Authorization
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://security.netapp.com/advisory/ntap-20210430-0006 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.oracle.com/security-alerts/cpuapr2022.html | 2022-10-25 |
URL | Date | SRC |
---|---|---|
https://discuss.elastic.co/t/elastic-stack-7-11-0-security-update/265835 | 2022-10-25 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Elastic Search vendor "Elastic" | Elasticsearch Search vendor "Elastic" for product "Elasticsearch" | >= 7.6.0 <= 7.11.0 Search vendor "Elastic" for product "Elasticsearch" and version " >= 7.6.0 <= 7.11.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Automated Test Suite Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" | 1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Automated Test Suite" and version "1.8.0" | - |
Affected
|