Cyber Resilience

CVE-2021-22145

MediumPublic PoC

Published: 21 July 2021

Published
21 July 2021
Modified
08 July 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.6793 98.6th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-22145 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Elastic Elasticsearch. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used…

more

portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

elastic
elasticsearch
7.10.0 — 7.13.3
oracle
communications cloud native core automated test suite
1.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-209

Monitoring directly detects unauthorized disclosure of sensitive information, enabling response to exposures.

addresses: CWE-200 CWE-209

Obscuring authentication feedback prevents exposure of sensitive information such as valid usernames or failure reasons to unauthorized actors.

addresses: CWE-200 CWE-209

Concealment techniques directly prevent real sensitive data from being exposed to adversaries.

addresses: CWE-200 CWE-209

Restricts error message visibility to authorized recipients, directly reducing unauthorized exposure of sensitive information.

addresses: CWE-200 CWE-209

Filtering output to only permitted content stops unintended disclosure of sensitive information to unauthorized actors.

addresses: CWE-200

Automated marking applies security attributes to system outputs, making it harder for attackers to exploit unmarked sensitive information leading to unauthorized exposure.

addresses: CWE-200

Proper attribute retention and permitted-value enforcement limits unauthorized actors from accessing sensitive information lacking correct labels.

addresses: CWE-200

Prevents unauthorized exposure of sensitive information by prohibiting untrusted external systems from processing or storing it.

References