CVE-2021-22132 – org.elasticsearch:elasticsearch

Package

Manager: maven
Name: org.elasticsearch:elasticsearch
Vulnerable Version: >=7.7.0 <7.10.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0171 pctl0.81612

Details

Insufficiently Protected Credentials in Elasticsearch Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Metadata

Created: 2021-03-18T19:27:27Z
Modified: 2021-03-16T01:19:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5fvx-2jj3-6mff/GHSA-5fvx-2jj3-6mff.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-5fvx-2jj3-6mff
Finding: F035
Auto approve: 1