CVE-2021-22146
First published: Wed Jul 21 2021(Updated: )
All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | =7.13.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22146?
CVE-2021-22146 is a vulnerability in Elastic Cloud Enterprise that enables the Elasticsearch "anonymous" user by default in deployed clusters.
What is the severity of CVE-2021-22146?
CVE-2021-22146 has a severity level of 7.5 (high).
How does CVE-2021-22146 affect Elastic Cloud Enterprise?
CVE-2021-22146 affects all versions of Elastic Cloud Enterprise by enabling the Elasticsearch "anonymous" user by default in deployed clusters.
How can an attacker exploit CVE-2021-22146?
An attacker can leverage the "anonymous" user enabled by CVE-2021-22146 to gain unauthorized access and potentially perform unauthorized actions on Elasticsearch APIs.
Is there a fix for CVE-2021-22146?
Yes, there is a fix available for CVE-2021-22146. It is recommended to apply the security update provided by Elastic Cloud Enterprise.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- agent/source
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/7.13.3