Enterprise Search
CVE-2021-22148
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
AnalysisAI
Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Elastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines. Affected products include: Elastic Enterprise Search. Version information: before 7.14.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.
More in Enterprise Search
View allElastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing autho
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. Rated high severi
An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Se
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today