CVE-2021-22134
Published: 08 March 2021
Summary
CVE-2021-22134 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Elastic Elasticsearch. Its CVSS base score is 4.3 (Medium).
Operationally, ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0675
Vulnerability details
A document disclosure flaw was found in Elasticsearch versions after 7.6.0 and before 7.11.0 when Document or Field Level Security is used. Get requests do not properly apply security permissions when executing a query against a recently updated document. This…
more
affects documents that have been updated and not yet refreshed in the index. This could result in the search disclosing the existence of documents and fields the attacker should not be able to view.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
Ensures authorization decisions for external system use are correctly implemented and enforced.
It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Drives review and correction of flawed authorization logic applied to organizational data.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.
Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.