CVE-2021-22132

MEDIUM

Elasticsearch 7.7.0-7.10.1 - Information Disclosure via Async Search API

Title source: llm
STIX 2.1

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

References (3)

Core 3
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210219-0004/

Scores

CVSS v3 4.8
EPSS 0.0041
EPSS Percentile 61.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Details

CWE
CWE-522
Status published
Products (3)
elastic/elasticsearch 7.7.0 - 7.10.2
oracle/communications_cloud_native_core_automated_test_suite 1.8.0
org.elasticsearch/elasticsearch 7.7.0 - 7.10.2Maven
Published Jan 14, 2021
Tracked Since Feb 18, 2026