CVE-2021-22146
Summary
| CVE | CVE-2021-22146 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-07-21 15:15:00 UTC |
| Updated | 2022-07-12 17:42:00 UTC |
| Description | All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Elastic | Elasticsearch | 7.13.3 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Elasticsearch ECE 7.13.3 Database Disclosure ≈ Packet Storm | MISC | packetstormsecurity.com | |
| CVE-2021-22146 Elasticsearch Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Elastic Cloud Enterprise security update - Security Announcements - Discuss the Elastic Stack | MISC | discuss.elastic.co | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.