Vulnerability Description
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elastic | Elasticsearch | 7.13.3 |
References
- http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-DiExploitThird Party AdvisoryVDB Entry
- https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210819-0005/Third Party Advisory
- http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-DiExploitThird Party AdvisoryVDB Entry
- https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210819-0005/Third Party Advisory
FAQ
What is CVE-2021-22146?
CVE-2021-22146 is a vulnerability with a CVSS score of 7.5 (HIGH). All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unabl...
How severe is CVE-2021-22146?
CVE-2021-22146 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22146?
Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elasticsearch.