Description

Elasticsearch before 7.14.0 did not apply document and field level security to searchable snapshots. This could lead to an authenticated user gaining access to information that they are unauthorized to view.

Remediation

References

https://discuss.elastic.co/t/elastic-stack-7-14-0-security-update/280344

https://security.netapp.com/advisory/ntap-20211008-0002/

https://www.elastic.co/community/security/

Related Vulnerabilities

CVE-2019-1003062 Vulnerability in maven package org.jenkins-ci.plugins:aws-cloudwatch-logs-publisher

CVE-2022-21191 Vulnerability in npm package global-modules-path

CVE-2022-32549 Vulnerability in maven package org.apache.sling:org.apache.sling.api

CVE-2011-4905 Vulnerability in maven package activemq:activemq-core

CVE-2021-3513 Vulnerability in maven package org.keycloak:keycloak-services

Severity

High

Classification

CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory