BIT-elasticsearch-2021-22132

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/elasticsearch/BIT-elasticsearch-2021-22132.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-elasticsearch-2021-22132

Aliases

Published

2024-03-06T10:54:05.664Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Database specific

{
    "cpes": [
        "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}

References

Affected packages

Bitnami / elasticsearch

Package

Name: elasticsearch
Purl: pkg:bitnami/elasticsearch

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

7.7.0

Fixed

7.10.2