Information Disclosure Vulnerability in Elasticsearch by Elastic
CVE-2021-22132

4.8MEDIUM

Key Information:

Vendor
Elastic
Vendor
CVE Published:
14 January 2021

Summary

Elasticsearch versions ranging from 7.7.0 to 7.10.1 are affected by a vulnerability in the async search API that leads to improper storage of HTTP headers. This flaw can allow an Elasticsearch user, who has permissions to read the .tasks index, to access sensitive request headers belonging to other users within the same cluster. The issue poses a risk of unintended data exposure and is addressed in Elasticsearch version 7.10.2.

Affected Version(s)

Elasticsearch 7.7.0 to 7.10.1

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.