Information Disclosure Vulnerability in Elasticsearch by Elastic
CVE-2020-7021

4.9MEDIUM

Key Information:

Vendor: Elastic
Status: Elasticsearch
Vendor: CVE Published:; 10 February 2021

Summary

Elasticsearch versions prior to 7.10.0 and 6.8.14 experienced a significant information disclosure issue linked to audit logging when the emit_request_body option was enabled. This vulnerability allowed sensitive information, such as password hashes and authentication tokens, to be logged in the audit log. As a result, an Elasticsearch administrator could inadvertently access these details, potentially compromising data security. Organizations using affected versions should promptly update to mitigate the risks associated with this vulnerability.

Affected Version(s)

Elasticsearch before 7.10.0 and 6.8.14

References

https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8...

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210319-0003/

x_refsource_CONFIRM

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 10, 2021
Vulnerability Reserved
Jan 14, 2020