{"api_version":"1","generated_at":"2026-04-23T04:34:06+00:00","cve":"CVE-2021-22147","urls":{"html":"https://cve.report/CVE-2021-22147","api":"https://cve.report/api/cve/CVE-2021-22147.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-22147","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-22147"},"summary":{"title":"CVE-2021-22147","description":"Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.","state":"PUBLIC","assigner":"security@elastic.co","published_at":"2021-09-15 12:15:00","updated_at":"2022-11-04 18:27:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344","name":"https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344","refsource":"MISC","tags":[],"title":"Elastic Stack 7.14.0 Security Update - Security Announcements - Discuss the Elastic Stack","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.elastic.co/community/security/","name":"https://www.elastic.co/community/security/","refsource":"MISC","tags":[],"title":"Security issues | Elastic","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20211008-0002/","name":"https://security.netapp.com/advisory/ntap-20211008-0002/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-22147 Elasticsearch Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-22147","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22147","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"22147","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"elastic","cpe5":"elasticsearch","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-22147","qid":"730232","title":"Elasticsearch Access Control Vulnerability (ESA-2021-18)"},{"cve":"CVE-2021-22147","qid":"900440","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rubygem-elasticsearch (6278)"},{"cve":"CVE-2021-22147","qid":"980458","title":"Java (maven) Security Update for org.elasticsearch:elasticsearch (GHSA-45h5-r968-5xr7)"}]},"source_records":{"cve_program":{"data_format":"MITRE","data_type":"CVE","data_version":"4.0","CVE_data_meta":{"ASSIGNER":"security@elastic.co","ID":"CVE-2021-22147","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Elastic","product":{"product_data":[{"product_name":"Elasticsearch","version":{"version_data":[{"version_value":"versions 7.11.0 to 7.13.4"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-732: Incorrect Permission Assignment for Critical Resource"}]}]},"references":{"reference_data":[{"url":"https://www.elastic.co/community/security/","refsource":"MISC","name":"https://www.elastic.co/community/security/"},{"url":"https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344","refsource":"MISC","name":"https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20211008-0002/","url":"https://security.netapp.com/advisory/ntap-20211008-0002/"}]},"description":{"description_data":[{"lang":"eng","value":"Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view."}]}},"nvd":{"publishedDate":"2021-09-15 12:15:00","lastModifiedDate":"2022-11-04 18:27:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*","versionStartIncluding":"7.11.0","versionEndExcluding":"7.14.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"22147","Ordinal":"196842","Title":"CVE-2021-22147","CVE":"CVE-2021-22147","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"22147","Ordinal":"1","NoteData":"Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"22147","Ordinal":"2","NoteData":"2021-09-15","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"22147","Ordinal":"3","NoteData":"2021-10-08","Type":"Other","Title":"Modified"}]}}}