CVE-2021-22135

MEDIUM5.3EPSS 0.15%

API information disclosure flaw in Elasticsearch

發布日:2021/7/2修改日:2024/2/17

也稱為:GHSA-62ww-4p3p-7fhjBIT-elasticsearch-2021-22135

描述

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

受影響套件(2)

Bitnami/elasticsearchfrom 0, < 6.8.15, >= 7.11.0, < 7.11.2
Maven/org.elasticsearch:elasticsearch>= 7.0.0, < 7.11.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-22135
WEBhttps://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
WEBhttps://security.netapp.com/advisory/ntap-20210625-0003
WEBhttps://security.netapp.com/advisory/ntap-20210625-0003/