CVE-2021-22137 - OpenCVE

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Elastic	Elasticsearch
Redhat	Camel Quarkus Integration

Configuration 1 [-]

OR	cpe:2.3:a:elastic:elasticsearch::::::::
	cpe:2.3:a:elastic:elasticsearch::::::::

Package	CPE	Advisory	Released Date
RHAF Camel-K 1.8
elasticsearch	cpe:/a:redhat:integration:1	RHSA-2022:6407	2022-09-09T00:00:00Z
RHINT Camel-Q 2.7
elasticsearch	cpe:/a:redhat:camel_quarkus:2.7	RHSA-2022:5606	2022-07-19T00:00:00Z

References

Link	Providers
https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
https://nvd.nist.gov/vuln/detail/CVE-2021-22137
https://security.netapp.com/advisory/ntap-20210625-0003/
https://www.cve.org/CVERecord?id=CVE-2021-22137

History

No history.

MITRE

Status: PUBLISHED

Assigner: elastic

Published: 2021-05-13T17:35:18

Updated: 2024-08-03T18:30:23.940Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-22137

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-05-13T18:15:09.033

Modified: 2022-11-04T18:30:49.317

Link: CVE-2021-22137

Redhat

Severity : Low

Publid Date: 2021-03-23T00:00:00Z

Links: CVE-2021-22137 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Elasticsearch", "vendor": "Elastic", "versions": [{"status": "affected", "version": "before 7.11.2 and 6.8.15"}]}], "descriptions": [{"lang": "en", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-25T05:06:35", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2021-22137", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elasticsearch", "version": {"version_data": [{"version_value": "before 7.11.2 and 6.8.15"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"name": "https://security.netapp.com/advisory/ntap-20210625-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:30:23.940Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2021-22137", "datePublished": "2021-05-13T17:35:18", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:30:23.940Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F9FE5BF-96E1-47AF-A8DF-3836949E3BE6", "versionEndExcluding": "6.8.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "676FCEC5-9858-437A-A06F-9A6C08502E7E", "versionEndExcluding": "7.11.2", "versionStartIncluding": "7.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."}, {"lang": "es", "value": "En Elasticsearch versiones anteriores a 7.11.2 y la 6.8.15, se encontr\u00f3 un fallo en la divulgaci\u00f3n del documento cuando Document o Field Level Security es usado. Las consultas de B\u00fasqueda no conservan apropiadamente los permisos de seguridad al ejecutar determinadas consultas de b\u00fasqueda cross-cluster. Esto podr\u00eda resultar en que la b\u00fasqueda revele la existencia de documentos que el atacante no ser\u00eda capaz de visualizar. Esto podr\u00eda resultar en que un atacante obtenga informaci\u00f3n adicional sobre \u00edndices potencialmente confiables"}], "id": "CVE-2021-22137", "lastModified": "2022-11-04T18:30:49.317", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-13T18:15:09.033", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210625-0003/"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-281"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "bressers@elastic.co", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "package": "elasticsearch", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:5606", "cpe": "cpe:/a:redhat:camel_quarkus:2.7", "impact": "low", "package": "elasticsearch", "product_name": "RHINT Camel-Q 2.7", "release_date": "2022-07-19T00:00:00Z"}], "bugzilla": {"description": "elasticsearch: Document disclosure flaw when Document or Field Level Security is used", "id": "1943189", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1943189"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices."], "name": "CVE-2021-22137", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "elasticsearch", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "elasticsearch", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "elasticsearch", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "elasticsearch", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22137\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22137\nhttps://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"], "statement": "In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability.\n[1] https://www.elastic.co/subscriptions", "threat_severity": "Low", "upstream_fix": "elasticsearch 7.11.2, elasticsearch 6.8.15"}