CVE-2021-22132 — Insufficiently Protected Credentials in Elasticsearch

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

How to fix CVE-2021-22132

To remediate CVE-2021-22132, upgrade the affected package to a fixed version below.

—upgrade to 7.10.2 or later
—upgrade to 7.10.2 or later

Is CVE-2021-22132 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.7.0, < 7.10.2
>= 7.7.0, < 7.10.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22132
WEBdiscuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
WEBsecurity.netapp.com/advisory/ntap-20210219-0004
WEBsecurity.netapp.com/advisory/ntap-20210219-0004/