Description
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Remediation
References
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
https://security.netapp.com/advisory/ntap-20210319-0003/
Related Vulnerabilities
CVE-2021-25946 Vulnerability in npm package nconf-toml
CVE-2019-1003077 Vulnerability in maven package org.jenkins-ci.plugins:audit2db
CVE-2021-4264 Vulnerability in maven package org.webjars.npm:dustjs-linkedin
CVE-2019-5448 Vulnerability in maven package org.webjars.npm:yarn
CVE-2022-41247 Vulnerability in maven package org.jenkins-ci.plugins:bigpanda-jenkins