CVE-2021-22132 — Insufficiently Protected Credentials in Elasticsearch

CWE-522 — Insufficiently Protected Credentials7 documents6 sources

Severity

4.8MEDIUMNVD

EPSS

0.4%

top 38.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Elastic Elasticsearch Oracle Communications Cloud Native Core Automated Test Suite

Timeline

PublishedJan 14

Latest updateApr 15

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶NVDelastic/elasticsearch7.7.0 — 7.10.2

▶CVEListV5elastic/elasticsearch7.7.0 to 7.10.1

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.8.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Insufficiently Protected Credentials in Elasticsearch↗2021-03-18

▶

OSV

Insufficiently Protected Credentials in Elasticsearch↗2021-03-18

▶

CVEList

CVE-2021-22132: Elasticsearch versions 7↗2021-01-14

▶

OSV

CVE-2021-22132: Elasticsearch versions 7↗2021-01-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Elasticsearch) — CVE-2021-22132↗2022-04-15

▶

Red Hat

elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure↗2021-01-14

▶