CVE-2021-22140 — HIGH (7.5)

Q: How severe is CVE-2021-22140?

CVE-2021-22140 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-22140?

Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elastic App Search.

Vulnerability Description

Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Elastic	Elastic App Search	>= 7.11.0, < 7.12.0

Related Weaknesses (CWE)

CWE-611

References

https://discuss.elastic.co/t/7-12-1-security-update/271433Vendor Advisory
https://discuss.elastic.co/t/7-12-1-security-update/271433Vendor Advisory

FAQ

What is CVE-2021-22140?

CVE-2021-22140 is a vulnerability with a CVSS score of 7.5 (HIGH). Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website...

How severe is CVE-2021-22140?

CVE-2021-22140 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-22140?

Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elastic App Search.