elastic elasticsearch CVE-2021-22134 in Elastic and Oracle Products
Published on March 8, 2021

product logo product logo
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.

NVD

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2021-22134 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2021-22134

stack.watch emails you whenever new vulnerabilities are published in Elasticsearch or Oracle Communications Cloud Native Core Automated Test Suite. Just hit a watch button to start following.

Elasticsearch
 
Oracle Communications Cloud Native Core Automated Test Suite
 

Affected Versions

Elasticsearch Version after 7.6.0 and before 7.11.0 is affected by CVE-2021-22134

Exploit Probability

EPSS
0.17%
Percentile
37.37%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.