Information Disclosure Vulnerability in Elasticsearch by Elastic
CVE-2021-22132
4.8MEDIUM
Summary
Elasticsearch versions ranging from 7.7.0 to 7.10.1 are affected by a vulnerability in the async search API that leads to improper storage of HTTP headers. This flaw can allow an Elasticsearch user, who has permissions to read the .tasks index, to access sensitive request headers belonging to other users within the same cluster. The issue poses a risk of unintended data exposure and is addressed in Elasticsearch version 7.10.2.
Affected Version(s)
Elasticsearch 7.7.0 to 7.10.1
References
CVSS V3.1
Score:
4.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved