CVE Vulnerabilities

CVE-2021-22144

Uncontrolled Recursion

Published: Jul 26, 2021 | Modified: May 10, 2022
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.

Weakness

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Affected Software

Name Vendor Start Version End Version
Elasticsearch Elastic * *
Elasticsearch Elastic 7.0.0 *

Potential Mitigations

References