CVE-2021-22147 — Exposure of sensitive information in Elasticsearch

Description

A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

How to fix CVE-2021-22147

To remediate CVE-2021-22147, upgrade the affected package to a fixed version below.

Bitnami/elasticsearch—upgrade to 7.14.0 or later
—upgrade to 7.14.0 or later

Is CVE-2021-22147 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.11.0, < 7.14.0
>= 7.11.0, < 7.14.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22147
WEBdiscuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344
WEBsecurity.netapp.com/advisory/ntap-20211008-0002
WEBsecurity.netapp.com/advisory/ntap-20211008-0002/
WEB