Vulnerabilities > CVE-2021-22137 - Improper Preservation of Permissions vulnerability in Elastic Elasticsearch

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
low complexity
elastic
CWE-281
NVD
Published: 2021-05-13
Updated: 2022-11-04

Summary

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Vulnerable Configurations

Part Description Count
Application
Elastic
264

Common Weakness Enumeration (CWE)

References