CVE-2021-22147 - OpenCVE

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Elastic	Elasticsearch

Configuration 1 [-]

cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*

References

Link	Resource
https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344	Vendor Advisory
https://security.netapp.com/advisory/ntap-20211008-0002/	Third Party Advisory
https://www.elastic.co/community/security/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: elastic

Published: 2021-09-15T11:36:19

Updated: 2021-10-08T14:06:33

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-22147

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-15T12:15:08.917

Modified: 2022-11-04T18:27:17.933

Link: CVE-2021-22147

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Elasticsearch", "vendor": "Elastic", "versions": [{"status": "affected", "version": "versions 7.11.0 to 7.13.4"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732: Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-08T14:06:33", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.elastic.co/community/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20211008-0002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2021-22147", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elasticsearch", "version": {"version_data": [{"version_value": "versions 7.11.0 to 7.13.4"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-732: Incorrect Permission Assignment for Critical Resource"}]}]}, "references": {"reference_data": [{"name": "https://www.elastic.co/community/security/", "refsource": "MISC", "url": "https://www.elastic.co/community/security/"}, {"name": "https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344"}, {"name": "https://security.netapp.com/advisory/ntap-20211008-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20211008-0002/"}]}}}}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2021-22147", "datePublished": "2021-09-15T11:36:19", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2021-10-08T14:06:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "A26A46C5-D497-476F-A7E9-128F5E625231", "versionEndExcluding": "7.14.0", "versionStartIncluding": "7.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view."}, {"lang": "es", "value": "Elasticsearch versiones anteriores a 7.14.0, no aplicaba la seguridad a nivel de documento y de campo a las instant\u00e1neas con capacidad de b\u00fasqueda. Esto pod\u00eda conllevar a que un usuario autenticado consiguiera acceso a informaci\u00f3n que no estaba autorizado a visualizar"}], "id": "CVE-2021-22147", "lastModified": "2022-11-04T18:27:17.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-15T12:15:08.917", "references": [{"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211008-0002/"}, {"source": "bressers@elastic.co", "tags": ["Vendor Advisory"], "url": "https://www.elastic.co/community/security/"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-732"}], "source": "bressers@elastic.co", "type": "Secondary"}]}