CVE-2021-37937

HIGH8.8EPSS 0.27%

Elasticsearch privilege escalation

Published: 3/6/2024Modified: 5/20/2025

Description

An issue was found with how API keys are created with the Fleet-Server service account. When an API key is created with a service account, it is possible that the API key could be created with higher privileges than intended. Using this vulnerability, a compromised Fleet-Server service account could escalate themselves to a super-user.

Affected packages (1)

Bitnami/elasticsearch>= 7.13.0, < 7.14.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

WEBhttps://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-37937
WEBhttps://www.elastic.co/community/security