CVE-2021-22135
MEDIUMElasticsearch <6.8.15 and 7.0.0-7.11.2 - Unauthorized Document and Field Exposure via Suggester and Profile API
Title source: llmDescription
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210625-0003/
Scores
CVSS v3
5.3
EPSS
0.0015
EPSS Percentile
35.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
elastic/elasticsearch
< 6.8.15
org.elasticsearch/elasticsearch
7.0.0 - 7.11.2Maven
Published
May 13, 2021
Tracked Since
Feb 18, 2026