CVE-2021-22146

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Published: Jul 21, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-22146
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
elastic / elasticsearch	7.13.3	7.13.3.x

http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
https://security.netapp.com/advisory/ntap-20210819-0005/

Vulnerability Database

289,599

CVE-2021-22146