CVE-2021-22146: 
Elasticsearch vulnerability analysis and mitigation

All versions of Elastic Cloud Enterprise (ECE) has the Elasticsearch "anonymous" user enabled by default in deployed clusters. While in the default setting the anonymous user has no permissions and is unable to successfully query any Elasticsearch APIs, an attacker could leverage the anonymous user to gain insight into certain details of a deployed cluster. The vulnerability was discovered and disclosed in July 2021 (Elastic Discussion).

The vulnerability has been assigned CVE-2021-22146 and received a CVSS v3.1 Base Score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue is classified under CWE-284: Improper Access Control. The vulnerability affects all ECE versions that have the anonymous user enabled as a default setting (NVD).

The vulnerability could allow an attacker to gain unauthorized insight into certain details of a deployed cluster. While the anonymous user has no permissions by default and cannot successfully query Elasticsearch APIs, the presence of this enabled account could potentially be leveraged to gather information about the cluster configuration (Elastic Discussion).

ECE stack packs 7.10.0 and later versions have been updated to disable the anonymous user as of July 7, 2021. Users should apply the updated stack pack to mitigate this vulnerability. The stack packs can be downloaded from the official page. There are no known workarounds other than applying the security update (Elastic Discussion).