elasticsearch

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Distributed RESTful search engine built on top of Lucene
Version 7.10.2-1 [community]

Open

Group Affected Fixed Severity Status Ticket
AVG-1638 7.10.2-1 Medium Vulnerable FS#70137
Issue Group Severity Remote Type Description
CVE-2021-22145 AVG-1638 Medium Yes Information disclosure
A memory disclosure vulnerability was identified in Elasticsearch’s error reporting in versions 7.10.0 up to 7.13.3. A user with the ability to submit...
CVE-2021-22144 AVG-1638 Medium Yes Denial of service
An uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser before versions 7.13.3...
CVE-2021-22137 AVG-1638 Medium Yes Information disclosure
A document disclosure flaw was found in Elasticsearch versions before 6.8.15 and 7.11.2 when Document or Field Level Security is used. Search queries do not...
CVE-2021-22135 AVG-1638 Medium Yes Information disclosure
In Elasticsearch versions before 7.11.2 and 6.8.15, a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and...
CVE-2021-22134 AVG-1638 Low Yes Information disclosure
A document disclosure flaw was found in Elasticsearch before version 7.11.0 when Document or Field Level Security is used. Get requests do not properly...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2342 7.10.2-1 Medium Not affected
AVG-1884 7.10.1-1 Critical Not affected
AVG-1455 7.10.1-1 7.10.2-1 Medium Fixed FS#70061
AVG-912 6.6.0-1 6.6.1-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2021-37937 AVG-2342 Medium Yes Privilege escalation
A security issue has been found in Elasticsearch versions from 7.13.0 through 7.14.0. An issue was found with how API keys are created with the fleet-server...
CVE-2021-22149 AVG-1884 High Yes Access restriction bypass
A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were missing authorization via an alternate...
CVE-2021-22148 AVG-1884 High Yes Access restriction bypass
A flaw in Elastic App Search in Elastic Enterprise Search versions prior to 7.14.0 was discovered where API keys were not bound to the same engines as their...
CVE-2021-22147 AVG-1884 Medium Yes Information disclosure
A flaw was discovered in Elasticsearch versions 7.11.0 to 7.13.4 where document and field level security was not applied to searchable snapshots. This could...
CVE-2021-22140 AVG-1884 Critical Yes Xml external entity injection
An XML External Entity Injection issue (XXE) was found in the App Search web crawler beta feature. Using this vector, an attacker whose website is being...
CVE-2021-22132 AVG-1455 Medium Yes Information disclosure
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly...
CVE-2019-7611 AVG-912 High Yes Privilege escalation
A permission issue was found in Elasticsearch when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split...

Advisories

Date Advisory Group Severity Type
25 Feb 2019 ASA-201902-27 AVG-912 High privilege escalation