Description
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Remediation
References
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
https://security.netapp.com/advisory/ntap-20210319-0003/
Related Vulnerabilities
CVE-2019-10382 Vulnerability in maven package org.jenkins-ci.plugins:labmanager
CVE-2017-1000356 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2023-36470 Vulnerability in maven package org.xwiki.platform:xwiki-platform-icon-default
CVE-2022-24740 Vulnerability in npm package @plone/volto
CVE-2015-2944 Vulnerability in maven package org.apache.sling:org.apache.sling.api