Vulnerability Details CVE-2021-22146
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.299
EPSS Ranking 96.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
- https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
- https://security.netapp.com/advisory/ntap-20210819-0005/
- http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
- https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
- https://security.netapp.com/advisory/ntap-20210819-0005/
Products affected by CVE-2021-22146
-
cpe:2.3:a:elastic:elasticsearch:7.13.3