PT-2021-14860 · Elastic · Elasticsearch
Published
2021-01-14
·
Updated
2024-03-06
·
CVE-2021-22132
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Elasticsearch versions 7.7.0 through 7.10.1
Description
The issue is an information disclosure flaw in the async search API. When an async search is executed, HTTP headers are improperly stored. An Elasticsearch user with read access to the .tasks index can obtain sensitive request headers of other users in the cluster.
Recommendations
For Elasticsearch versions 7.7.0 through 7.10.1, update to version 7.10.2 to resolve the issue.
As a temporary workaround, consider restricting access to the .tasks index to minimize the risk of exploitation.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Elasticsearch