CVE-2021-31828
HIGHAmazon Open Distro for Elasticsearch < 1.13.1.0 - Authenticated Server-Side Request Forgery via Alerting Plugin
Title source: llmDescription
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/opendistro-for-elasticsearch/alerting/pull/353
Release Notes, Third Party Advisory x_refsource_misc
https://opendistro.github.io/for-elasticsearch-docs/version-history/
Third Party Advisory x_refsource_misc
https://rotem-bar.com/ssrf-in-open-distro-for-elasticsearch-cve-2021-31828
Scores
CVSS v3
7.1
EPSS
0.0019
EPSS Percentile
40.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-918
Status
published
Products (1)
amazon/open_distro
< 1.13.1.0
Published
May 06, 2021
Tracked Since
Feb 18, 2026