vulnerability

Elastic Elasticsearch: CVE-2021-22146: Vulnerability in Elastic Elasticsearch

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	Jul 21, 2021	May 13, 2025	Jun 11, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Jul 21, 2021

Added

May 13, 2025

Modified

Jun 11, 2025

Description

All versions of Elastic Cloud Enterprise has the Elasticsearch “anonymous” user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster.

Solution

elastic-elasticsearch-upgrade-latest

References

CVE-2021-22146
https://attackerkb.com/topics/CVE-2021-22146
URL-http://packetstormsecurity.com/files/163655/Elasticsearch-ECE-7.13.3-Database-Disclosure.html
URL-https://discuss.elastic.co/t/elastic-cloud-enterprise-security-update/279180
URL-https://security.netapp.com/advisory/ntap-20210819-0005/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today