CVE-2021-22135
Description
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw was found in the Elasticsearch suggester and profile API when Document and Field Level Security are enabled. The suggester and profile API are normally disabled for an index when document level security is enabled on the index. Certain queries are able to enable the profiler and suggester which could lead to disclosing the existence of documents and fields the attacker should not be able to view.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Elasticsearch before 7.11.2 and 6.8.15 can disclose documents via the suggester and profile API when DLS/FLS are enabled.
Vulnerability
Elasticsearch versions before 7.11.2 and 6.8.15 contain a document disclosure flaw in the suggester and profile API when Document Level Security (DLS) and Field Level Security (FLS) are enabled. These APIs are normally disabled for an index under DLS, but certain queries can re-enable them, leading to information disclosure [1][2].
Exploitation
An attacker must have a valid low-privileged user account with query access to an index protected by DLS or FLS. The attacker sends a specially crafted query that re-enables the suggester or profile API, which are ordinarily blocked. No additional authentication or network position beyond normal API access is required. The exact query format is not publicly detailed in the available references [2].
Impact
A successful attack allows the attacker to learn the existence of documents and fields that they should not be able to view under the enforced DLS/FLS policies. The CVSSv3 score is 3.1 (Low), reflecting the low confidentiality impact and the requirement for authenticated access with high attack complexity [2].
Mitigation
There is no known workaround for this flaw. Users should upgrade to Elasticsearch version 7.11.2 or 6.8.15, which were released on 2021-05-13. The advisory explicitly states no workaround exists [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.elasticsearch:elasticsearchMaven | >= 7.0.0, < 7.11.2 | 7.11.2 |
org.elasticsearch:elasticsearchMaven | < 6.8.15 | 6.8.15 |
Affected products
3- osv-coords2 versions
< 6.8.15+ 1 more
- (no CPE)range: < 6.8.15
- (no CPE)range: >= 7.0.0, < 7.11.2
- Range: before 7.11.2 and 6.8.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-62ww-4p3p-7fhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22135ghsaADVISORY
- discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210625-0003ghsaWEB
- security.netapp.com/advisory/ntap-20210625-0003/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.