Information Disclosure Vulnerability in Elasticsearch by Elastic
CVE-2021-22132

4.8MEDIUM

Key Information:

Vendor
Elastic
Status
Elasticsearch
Vendor
CVE Published:
14 January 2021

Summary

Elasticsearch versions ranging from 7.7.0 to 7.10.1 are affected by a vulnerability in the async search API that leads to improper storage of HTTP headers. This flaw can allow an Elasticsearch user, who has permissions to read the .tasks index, to access sensitive request headers belonging to other users within the same cluster. The issue poses a risk of unintended data exposure and is addressed in Elasticsearch version 7.10.2.

Affected Version(s)

Elasticsearch 7.7.0 to 7.10.1

References

https://discuss.elastic.co/t/elasticsearch-7-10-2-securit...
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210219-0004/
x_refsource_CONFIRM

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.