CVE-2021-22132

MEDIUM

Elasticsearch < 7.10.2 - Insufficiently Protected Credentials

Title source: rule

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

References (3)

[Release Notes, Vendor Advisory] https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210219-0004/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 4.8

EPSS 0.0041

EPSS Percentile 61.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (3)

elastic/elasticsearch < 7.10.2

oracle/communications_cloud_native_core_automated_test_suite

org.elasticsearch/elasticsearch < 7.10.2Maven

Timeline

Published Jan 14, 2021

Tracked Since Feb 18, 2026