CVE-2021-22146

Sažetak

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Reference

https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
https://security.netapp.com/advisory/ntap-20210819-0005/

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

12-07-2022 - 17:42

Objavljeno

21-07-2021 - 15:15