Description
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Remediation
References
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
https://security.netapp.com/advisory/ntap-20210319-0003/
Related Vulnerabilities
CVE-2022-43419 Vulnerability in maven package org.jenkins-ci.plugins:katalon
CVE-2022-21186 Vulnerability in npm package @acrontum/filesystem-template
CVE-2022-41713 Vulnerability in maven package org.webjars.npm:deep-object-diff
CVE-2022-21213 Vulnerability in maven package org.webjars.npm:mout
CVE-2021-36151 Vulnerability in maven package org.apache.gobblin:gobblin-core