CVE-2021-22132

Published: Jan 14, 2021Modified: Nov 21, 2024

4.8

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.2 / Impact: 3.6

Source: NVD

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Affected (2)

Products: Elastic: Elasticsearch · Oracle: Communications Cloud Native Core Automated Test Suite

1 product

1 product

Communications Cloud Native Core Automated Test Suite

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	From 7.7.0 to 7.10.2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Automated Test Suite	Version 1.8.0

Related CWEs

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (6)

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Source: security@elastic.co

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20210219-0004/

Source: security@elastic.co

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security@elastic.co

PatchThird Party Advisory

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://security.netapp.com/advisory/ntap-20210219-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.