HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2021-22146

CVSS 7.5v3.1pub. 2021-07-21upd. 2024-11-21

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Elastic Elasticsearch

    APP
    Elastic
    7.13.3
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2015-1427CRITICAL9.8⚠ KEVten sam produkt

The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to by...

CVE-2015-5377CRITICAL9.8ten sam produkt

Elasticsearch before 1.6.1 allows remote attackers to execute arbitrary code via unspecified vectors involving...

CVE-2014-3120HIGH8.1⚠ KEVten sam produkt

The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers...

CVE-2023-31418HIGH7.5ten sam produkt

An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenti...

CVE-2022-23712HIGH7.5ten sam produkt

A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacke...

CVE-2021-22146 — Elastic — Elasticsearch — HIGH — CVSS 7.5 | CVEbaza.pl