Vulnerability Details : CVE-2021-22146
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
Products affected by CVE-2021-22146
- cpe:2.3:a:elastic:elasticsearch:7.13.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22146
18.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
References for CVE-2021-22146
-
http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
Elasticsearch ECE 7.13.3 Database Disclosure ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://security.netapp.com/advisory/ntap-20210819-0005/
CVE-2021-22146 Elasticsearch Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
Elastic Cloud Enterprise security update - Announcements / Security Announcements - Discuss the Elastic StackVendor Advisory
Jump to