Enterprise Search
CVE-2021-22149
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
AnalysisAI
Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Permission Assignment (CWE-732), which allows attackers to access resources due to misconfigured permissions. Elastic Enterprise Search App Search versions before 7.14.0 are vulnerable to an issue where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users. Affected products include: Elastic Enterprise Search. Version information: before 7.14.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and restrict file/resource permissions, apply principle of least privilege.
More in Enterprise Search
View allElastic Enterprise Search App Search versions before 7.14.0 was vulnerable to an issue where API keys were not bound to
Elastic Enterprise Search before 7.9.0 contain a credential exposure flaw in the App Search interface. Rated high severi
An information disclosure via GET request server-side request forgery vulnerability was discovered with the Workplace Se
An issue was discovered by Elastic whereby the Documents API of App Search logged the raw contents of indexed documents
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today