CVE Vulnerabilities

CVE-2021-22137

Improper Preservation of Permissions

Published: May 13, 2021 | Modified: Nov 04, 2022
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
2.6 LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

Weakness

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

Affected Software

Name Vendor Start Version End Version
Elasticsearch Elastic * 6.8.15 (excluding)
Elasticsearch Elastic 7.11.0 (including) 7.11.2 (excluding)
RHAF Camel-K 1.8 RedHat elasticsearch *
RHINT Camel-Q 2.7 RedHat elasticsearch *
Elasticsearch Ubuntu esm-apps/xenial *
Elasticsearch Ubuntu trusty *
Elasticsearch Ubuntu xenial *

References