Vulnerability Description
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Open Distro | < 1.13.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/opendistro-for-elasticsearch/alerting/pull/353PatchThird Party Advisory
- https://opendistro.github.io/for-elasticsearch-docs/version-history/Release NotesThird Party Advisory
- https://rotem-bar.com/ssrf-in-open-distro-for-elasticsearch-cve-2021-31828Third Party Advisory
- https://github.com/opendistro-for-elasticsearch/alerting/pull/353PatchThird Party Advisory
- https://opendistro.github.io/for-elasticsearch-docs/version-history/Release NotesThird Party Advisory
- https://rotem-bar.com/ssrf-in-open-distro-for-elasticsearch-cve-2021-31828Third Party Advisory
FAQ
What is CVE-2021-31828?
CVE-2021-31828 is a vulnerability with a CVSS score of 7.1 (HIGH). An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceedi...
How severe is CVE-2021-31828?
CVE-2021-31828 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-31828?
Check the references section above for vendor advisories and patch information. Affected products include: Amazon Open Distro.