CVE-2020-7021 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=0 <6.8.14 || >=7.0.0 <7.10.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00362 pctl0.57531

Details

Insertion of Sensitive Information into Log File in Elasticsearch Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

Metadata

Created: 2022-05-24T17:41:42Z
Modified: 2022-06-23T17:58:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cqgv-256r-m9r8/GHSA-cqgv-256r-m9r8.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-cqgv-256r-m9r8
Finding: F091
Auto approve: 1