CVE-2021-22137

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-22137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-22137
Aliases
Related
Published
2021-05-13T18:15:09Z
Modified
2025-02-19T03:17:36.076121Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.10.0
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.19.0.RC1
v0.19.0.RC2
v0.19.0.RC3
v0.20.0.RC1
v0.4.0
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.9.0
v0.90.0
v0.90.0.Beta1
v0.90.0.RC1
v0.90.0.RC2

v1.*

v1.0.0.Beta1
v1.0.0.Beta2
v1.0.0.RC1

v5.*

v5.0.0-alpha1
v5.0.0-alpha2
v5.0.0-alpha3
v5.0.0-alpha4
v5.0.0-alpha5

v6.*

v6.0.0-alpha1
v6.0.0-alpha2
v6.7.0
v6.7.1
v6.7.2
v6.8.0
v6.8.1
v6.8.10
v6.8.11
v6.8.12
v6.8.13
v6.8.14
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9