Vulnerability-Lookup

CVE-2021-22132 (GCVE-0-2021-22132)

Vulnerability from cvelistv5 – Published: 2021-01-14 19:20 – Updated: 2024-08-03 18:30

Summary

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Severity ?

No CVSS data available.

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

elastic

References

URL

	Vendor	Product	Version
	Elastic	Elasticsearch	Affected: 7.7.0 to 7.10.1

bit-elasticsearch-2021-22132

Vulnerability from bitnami_vulndb

Published

2024-03-06 10:54

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "elasticsearch",
        "purl": "pkg:bitnami/elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.7.0"
            },
            {
              "fixed": "7.10.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22132"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
  "id": "BIT-elasticsearch-2021-22132",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T10:54:05.664Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132"
    }
  ],
  "schema_version": "1.5.0"
}

FKIE_CVE-2021-22132

Vulnerability from fkie_nvd - Published: 2021-01-14 20:15 - Updated: 2024-11-21 05:49

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security@elastic.co	https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164	Release Notes, Vendor Advisory
security@elastic.co	https://security.netapp.com/advisory/ntap-20210219-0004/	Third Party Advisory
security@elastic.co	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210219-0004/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	elastic	elasticsearch	*
	oracle	communications_cloud_native_core_automated_test_suite	1.8.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB1F6EA5-5747-4DB0-BD17-148468730A3F",
              "versionEndExcluding": "7.10.2",
              "versionStartIncluding": "7.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "98FB24DB-AF91-48D0-9CA5-C8250D183FD5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"
    },
    {
      "lang": "es",
      "value": "Elasticsearch versiones 7.7.0 hasta 7.10.1, contienen un fallo de divulgaci\u00f3n de informaci\u00f3n en la API de b\u00fasqueda as\u00edncrona.\u0026#xa0;Los usuarios que ejecutan una b\u00fasqueda as\u00edncrona almacenar\u00e1n inapropiadamente los encabezados HTTP.\u0026#xa0;Un usuario de Elasticsearch con la capacidad de leer el \u00edndice .tasks podr\u00eda obtener encabezados de petici\u00f3n confidenciales de otros usuarios en el cl\u00faster.\u0026#xa0;Este problema es corregido en Elasticsearch versi\u00f3n 7.10.2"
    }
  ],
  "id": "CVE-2021-22132",
  "lastModified": "2024-11-21T05:49:34.050",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-01-14T20:15:13.407",
  "references": [
    {
      "source": "security@elastic.co",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
    },
    {
      "source": "security@elastic.co",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"
    },
    {
      "source": "security@elastic.co",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "sourceIdentifier": "security@elastic.co",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "security@elastic.co",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-22132

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-22132

Aliases

CVE-2021-22132

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-22132",
    "description": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
    "id": "GSD-2021-22132",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-22132.html",
      "https://access.redhat.com/errata/RHSA-2022:5606",
      "https://access.redhat.com/errata/RHSA-2022:6407"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-22132"
      ],
      "details": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
      "id": "GSD-2021-22132",
      "modified": "2023-12-13T01:23:24.839818Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@elastic.co",
        "ID": "CVE-2021-22132",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Elasticsearch",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "7.7.0 to 7.10.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Elastic"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-522: Insufficiently Protected Credentials"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164",
            "refsource": "MISC",
            "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
          },
          {
            "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
            "refsource": "MISC",
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210219-0004/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[7.7.0,7.10.2)",
          "affected_versions": "All versions starting from 7.7.0 before 7.10.2",
          "cvss_v2": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-522",
            "CWE-937"
          ],
          "date": "2021-03-18",
          "description": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
          "fixed_versions": [
            "7.10.2"
          ],
          "identifier": "CVE-2021-22132",
          "identifiers": [
            "GHSA-5fvx-2jj3-6mff",
            "CVE-2021-22132"
          ],
          "not_impacted": "All versions before 7.7.0, all versions starting from 7.10.2",
          "package_slug": "maven/org.elasticsearch/elasticsearch",
          "pubdate": "2021-03-18",
          "solution": "Upgrade to version 7.10.2 or above.",
          "title": "Insufficiently Protected Credentials",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-22132",
            "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164",
            "https://security.netapp.com/advisory/ntap-20210219-0004/",
            "https://github.com/advisories/GHSA-5fvx-2jj3-6mff"
          ],
          "uuid": "f703195c-9fce-41d8-8ee6-ebcdf8b005be"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "7.10.2",
                "versionStartIncluding": "7.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@elastic.co",
          "ID": "CVE-2021-22132"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-522"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210219-0004/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-05-12T14:52Z",
      "publishedDate": "2021-01-14T20:15Z"
    }
  }
}

CNVD-2021-03548

Vulnerability from cnvd - Published: 2021-01-17

Title

Elasticsearch信息泄露漏洞（CNVD-2021-03548）

Description

Elasticsearch是一款基于Lucene库的搜索引擎。 Elasticsearch 7.7.0 - 7.10.1中的异步搜索API存在信息泄露漏洞。该漏洞源于执行异步搜索的用户会不正确存储HTTP标头。能够读取.tasks索引的Elasticsearch用户可利用该漏洞获取集群中其他用户的敏感请求标头。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Elasticsearch信息泄露漏洞（CNVD-2021-03548）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-22132

Impacted products

Name
ElasticSearch ElasticSearch >=7.7.0，<=7.10.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-22132",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132"
    }
  },
  "description": "Elasticsearch\u662f\u4e00\u6b3e\u57fa\u4e8eLucene\u5e93\u7684\u641c\u7d22\u5f15\u64ce\u3002\n\nElasticsearch 7.7.0 - 7.10.1\u4e2d\u7684\u5f02\u6b65\u641c\u7d22API\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6267\u884c\u5f02\u6b65\u641c\u7d22\u7684\u7528\u6237\u4f1a\u4e0d\u6b63\u786e\u5b58\u50a8HTTP\u6807\u5934\u3002\u80fd\u591f\u8bfb\u53d6.tasks\u7d22\u5f15\u7684Elasticsearch\u7528\u6237\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u96c6\u7fa4\u4e2d\u5176\u4ed6\u7528\u6237\u7684\u654f\u611f\u8bf7\u6c42\u6807\u5934\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-03548",
  "openTime": "2021-01-17",
  "patchDescription": "Elasticsearch\u662f\u4e00\u6b3e\u57fa\u4e8eLucene\u5e93\u7684\u641c\u7d22\u5f15\u64ce\u3002\r\n\r\nElasticsearch 7.7.0 - 7.10.1\u4e2d\u7684\u5f02\u6b65\u641c\u7d22API\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u6267\u884c\u5f02\u6b65\u641c\u7d22\u7684\u7528\u6237\u4f1a\u4e0d\u6b63\u786e\u5b58\u50a8HTTP\u6807\u5934\u3002\u80fd\u591f\u8bfb\u53d6.tasks\u7d22\u5f15\u7684Elasticsearch\u7528\u6237\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u96c6\u7fa4\u4e2d\u5176\u4ed6\u7528\u6237\u7684\u654f\u611f\u8bf7\u6c42\u6807\u5934\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Elasticsearch\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-03548\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "ElasticSearch ElasticSearch \u003e=7.7.0\uff0c\u003c=7.10.1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132",
  "serverity": "\u4e2d",
  "submitTime": "2021-01-15",
  "title": "Elasticsearch\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-03548\uff09"
}

GHSA-5FVX-2JJ3-6MFF

Vulnerability from github – Published: 2021-03-18 19:27 – Updated: 2021-03-16 01:19

Summary

Insufficiently Protected Credentials in Elasticsearch

Details

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.elasticsearch:elasticsearch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.7.0"
            },
            {
              "fixed": "7.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-22132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-16T01:19:41Z",
    "nvd_published_at": "2021-01-14T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
  "id": "GHSA-5fvx-2jj3-6mff",
  "modified": "2021-03-16T01:19:41Z",
  "published": "2021-03-18T19:27:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132"
    },
    {
      "type": "WEB",
      "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210219-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficiently Protected Credentials in Elasticsearch"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-22132 (GCVE-0-2021-22132)

bit-elasticsearch-2021-22132

Vulnerability from bitnami_vulndb

FKIE_CVE-2021-22132

GSD-2021-22132

CNVD-2021-03548

GHSA-5FVX-2JJ3-6MFF

Tags

Sightings

Nomenclature