Vulnerabilities > CVE-2021-22134 - Incorrect Authorization vulnerability in multiple products

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

elastic

oracle

CWE-863

NVD

Published: 2021-03-08

Updated: 2022-10-25

Summary

A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

Vulnerable Configurations

Part	Description	Count
Application	Elastic Elastic Elasticsearch 7.6.0 Elastic Elasticsearch 7.6.1 Elastic Elasticsearch 7.6.2 Elastic Elasticsearch 7.7.0 Elastic Elasticsearch 7.7.1 Elastic Elasticsearch 7.8.0 Elastic Elasticsearch 7.8.1 Elastic Elasticsearch 7.9.0 Elastic Elasticsearch 7.9.1 Elastic Elasticsearch 7.9.2 Elastic Elasticsearch 7.9.3 Elastic Elasticsearch 7.10.0 Elastic Elasticsearch 7.10.1 Elastic Elasticsearch 7.10.2 Elastic Elasticsearch 7.11.0	15
Application	Oracle Oracle Communications Cloud Native Core Automated Test Suite 1.8.0	1

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References