A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
Published 2021-07-21 15:15:14
Updated 2022-05-10 15:25:28
Source Elastic
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-22145

Probability of exploitation activity in the next 30 days: 96.14%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 99 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2021-22145

  • Elasticsearch Memory Disclosure
    Disclosure Date: 2021-07-21
    First seen: 2023-09-11
    auxiliary/scanner/http/elasticsearch_memory_disclosure
    This module exploits a memory disclosure vulnerability in Elasticsearch 7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary queries to Elasticsearch can generate an error message containing previously used portions of a data buffer.

CVSS scores for CVE-2021-22145

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
4.0
MEDIUM AV:N/AC:L/Au:S/C:P/I:N/A:N
8.0
2.9
NIST
6.5
MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
2.8
3.6
NIST

CWE ids for CVE-2021-22145

References for CVE-2021-22145

Products affected by CVE-2021-22145

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!