Elasticsearch Document/Field Level Security issue (ESA-2021-18)
A flaw was discovered in Elasticsearch where document and field level security was not applied to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.
Affected Versions:
Elasticsearch versions 7.11.0 to 7.13.4
Solutions and Mitigations:
Users who are using document or field level security with searchable snapshots should upgrade to version 7.14.0
CVSSv3: 5.7 - AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE ID: CVE-2021-22147
Enterprise Search Privilege Escalation issue ( ESA-2021-19)
A flaw in Elastic App Search was discovered where API keys were not bound to the same engines as their creator. This could lead to a less privileged user gaining access to unauthorized engines.
Affected Versions:
Elastic Enterprise Search versions prior to 7.14.0
Solutions and Mitigations:
Users should upgrade to version 7.14.0
CVSSv3: 8.1 - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE ID: CVE-2021-22148
Enterprise Search Privilege Escalation issue (ESA-2021-20)
A flaw in Elastic App Search was discovered where API keys were missing authorization via an alternate route. Using this vulnerability, an authenticated attacker could utilize API keys belonging to higher privileged users.
Affected Versions:
Elastic Enterprise Search versions prior to 7.14.0
Solutions and Mitigations:
Users should upgrade to version 7.14.0
CVSSv3: 8.1 - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVE ID: CVE-2021-22149