{"containers": {"cna": {"affected": [{"product": "Elasticsearch", "vendor": "Elastic", "versions": [{"status": "affected", "version": "before 7.11.2 and 6.8.15"}]}], "descriptions": [{"lang": "en", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-25T05:06:35", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2021-22137", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elasticsearch", "version": {"version_data": [{"version_value": "before 7.11.2 and 6.8.15"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"name": "https://security.netapp.com/advisory/ntap-20210625-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:30:23.940Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2021-22137", "datePublished": "2021-05-13T17:35:18", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:30:23.940Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F9FE5BF-96E1-47AF-A8DF-3836949E3BE6", "versionEndExcluding": "6.8.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "676FCEC5-9858-437A-A06F-9A6C08502E7E", "versionEndExcluding": "7.11.2", "versionStartIncluding": "7.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}, {"lang": "es", "value": "En Elasticsearch versiones anteriores a 7.11.2 y la 6.8.15, se encontr\u00f3 un fallo en la divulgaci\u00f3n del documento cuando Document o Field Level Security es usado. Las consultas de B\u00fasqueda no conservan apropiadamente los permisos de seguridad al ejecutar determinadas consultas de b\u00fasqueda cross-cluster. Esto podr\u00eda resultar en que la b\u00fasqueda revele la existencia de documentos que el atacante no ser\u00eda capaz de visualizar. Esto podr\u00eda resultar en que un atacante obtenga informaci\u00f3n adicional sobre \u00edndices potencialmente confiables"}], "id": "CVE-2021-22137", "lastModified": "2024-11-21T05:49:34.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-13T18:15:09.033", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "bressers@elastic.co", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-281"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "package": "elasticsearch", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:5606", "cpe": "cpe:/a:redhat:camel_quarkus:2.7", "impact": "low", "package": "elasticsearch", "product_name": "RHINT Camel-Q 2.7", "release_date": "2022-07-19T00:00:00Z"}], "bugzilla": {"description": "elasticsearch: Document disclosure flaw when Document or Field Level Security is used", "id": "1943189", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1943189"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."], "name": "CVE-2021-22137", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Fix deferred", "package_name": "elasticsearch", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "elasticsearch", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "elasticsearch", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Fix deferred", "package_name": "elasticsearch", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22137\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22137\nhttps://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"], "statement": "In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability.\n[1] https://www.elastic.co/subscriptions", "threat_severity": "Low"}

{}