CVE-2020-7021 — Insertion of Sensitive Information into Log File in Elasticsearch

Description

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

How to fix CVE-2020-7021

To remediate CVE-2020-7021, upgrade the affected package to a fixed version below.

—upgrade to 6.8.14 or later
—upgrade to 6.8.14 or later

Is CVE-2020-7021 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.8.14, >= 7.0.0, < 7.10.0
from 0, < 6.8.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-7021
PATCHgithub.com/elastic/elasticsearch
WEBdiscuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
WEBsecurity.netapp.com/advisory/ntap-20210319-0003