CVE-2021-22145: 
Java vulnerability analysis and mitigation

A memory disclosure vulnerability was identified in Elasticsearch versions 7.10.0 to 7.13.3 error reporting. The vulnerability, tracked as CVE-2021-22145, was discovered by Eric Howard of Bell Canada and disclosed in July 2021. The vulnerability affects Elasticsearch installations and allows authenticated users with query permissions to potentially access sensitive information (Elastic Discussion).

The vulnerability occurs in Elasticsearch's error reporting mechanism where a user with the ability to submit arbitrary queries could send a malformed query that triggers an error message containing previously used portions of a data buffer. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and requiring low privileges (NVD).

The exposed data buffer could contain sensitive information such as Elasticsearch documents or authentication details. This information disclosure could potentially lead to unauthorized access to confidential data or authentication credentials (Elastic Discussion, NVD).

Users should upgrade their Elasticsearch installations to version 7.13.4 or later to address this vulnerability. There are no known workarounds for this issue other than upgrading to a patched version (Elastic Discussion).