CVE-2021-22132 in Elastic and Oracle Products
Published on January 14, 2021
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2021-22132
stack.watch emails you whenever new vulnerabilities are published in Elasticsearch or Oracle Communications Cloud Native Core Automated Test Suite. Just hit a watch button to start following.
Affected Versions
Elasticsearch Version 7.7.0 to 7.10.1 is affected by CVE-2021-22132Exploit Probability
EPSS
0.41%
Percentile
61.06%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.