CVE-2021-22149

HIGH

Elastic Enterprise Search < 7.14.0 - Missing Authorization

Title source: rule

Description

Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.

References (2)

Scores

CVSS v3 8.8
EPSS 0.0027
EPSS Percentile 49.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-862 CWE-732
Status published

Affected Products (1)

elastic/enterprise_search < 7.14.0

Timeline

Published Sep 15, 2021
Tracked Since Feb 18, 2026