CVE-2021-22137

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-22137
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22137.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-22137
Aliases
Downstream
Published
2021-05-13T18:15:09.033Z
Modified
2026-03-15T15:12:33.297533Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.

References

Affected packages

Git / github.com/elastic/elasticsearch

Affected ranges

Type
GIT
Repo
https://github.com/elastic/elasticsearch
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c9a8c60f59a902dfa018abda97b195f7ba9f29aa
Introduced
8ced7813d6f16d2ef30792e2fcde3e755795ee04
Fixed
3e5a16cfec50876d20ea77b075070932c6464c7d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.8.15"
        },
        {
            "introduced": "7.11.0"
        },
        {
            "fixed": "7.11.2"
        }
    ]
}

Affected versions

v7.*
v7.11.0
v7.11.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-22137.json"