CVE-2021-22132

low-risk

Published 2021-01-14

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Do I need to act?

0.41% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.8/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Elasticsearch

Communications Cloud Native Core Automated Test Suite

Affected Vendors

Oracle Elastic

References (6)

Release Notes https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Third Party Advisory https://security.netapp.com/advisory/ntap-20210219-0004/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Release Notes https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

Third Party Advisory https://security.netapp.com/advisory/ntap-20210219-0004/

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 7/34 · Low