CVE-2021-22145

MEDIUM NUCLEI

Elasticsearch 7.10.0-7.13.3 - Memory Disclosure via Malformed Query Error Message

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2021-22145. PoCs published by r0ny, niceeeeeeee, h00die, Eric Howard, R0NY, including Metasploit module auxiliary/scanner/http/elasticsearch_memory_disclosure. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a memory disclosure vulnerability in ElasticSearch versions 7.10.0 to 7.13.3. It sends a malformed request to the /_bulk endpoint, triggering an error response that leaks memory contents.

Description

A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.

Exploits (3)

exploitdb WORKING POC
by r0ny · pythonwebappsmultiple
https://www.exploit-db.com/exploits/50149

This exploit targets a memory disclosure vulnerability in ElasticSearch versions 7.10.0 to 7.13.3. It sends a malformed request to the /_bulk endpoint, triggering an error response that leaks memory contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: ElasticSearch 7.10.0 to 7.13.3
Auth required
Prerequisites: Network access to ElasticSearch service · Valid authentication credentials (API key or Basic Auth)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by niceeeeeeee · poc
https://github.com/niceeeeeeee/CVE-2021-22145-poc

This repository contains a functional Python PoC for CVE-2021-22145, a memory leak vulnerability in Elasticsearch versions 7.10.0 to 7.13.3. The exploit sends a crafted request to the /_bulk endpoint to trigger the leak and extracts memory contents from the error response.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch 7.10.0 to 7.13.3
Auth required
Prerequisites: Network access to Elasticsearch service · Valid authentication credentials (API key or Basic Auth)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
metasploit WORKING POC
by h00die, Eric Howard, R0NY · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/elasticsearch_memory_disclosure.rb

This Metasploit module exploits a memory disclosure vulnerability in Elasticsearch (CVE-2021-22145) by sending malformed bulk requests to leak memory contents, similar to Heartbleed. It supports scanning and dumping leaked memory to loot.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Elasticsearch 7.10.0 to 7.13.3
No auth needed
Prerequisites: Network access to Elasticsearch HTTP API (port 9200 by default)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Elasticsearch 7.10.0-7.13.3 - Information Disclosure
MEDIUMby dhiyaneshDk
FOFA: index_not_found_exception

References (5)

Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210827-0006/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163648/ElasticSearch-7.13.3-Memory-Disclosure.html

Scores

CVSS v3 6.5
EPSS 0.6793
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-209 CWE-200
Status published
Products (3)
elastic/elasticsearch 7.10.0 - 7.13.3
oracle/communications_cloud_native_core_automated_test_suite 1.8.0
org.elasticsearch.client/elasticsearch-rest-client 7.10.0 - 7.13.4Maven
Published Jul 21, 2021
Tracked Since Feb 18, 2026