CVE-2021-22135: Exposure of Sensitive Information to an Unauthorized Actor

July 2, 2021

Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.

References

discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125
github.com/advisories/GHSA-62ww-4p3p-7fhj
nvd.nist.gov/vuln/detail/CVE-2021-22135
security.netapp.com/advisory/ntap-20210625-0003/

Detect and mitigate CVE-2021-22135 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →