WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2021-22132 Vulnerability in maven package org.elasticsearch:elasticsearch

Description

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

Remediation

References

https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164

https://security.netapp.com/advisory/ntap-20210219-0004/

https://www.oracle.com/security-alerts/cpuapr2022.html

Related Vulnerabilities

CVE-2019-10288 Vulnerability in maven package de.e-nexus:jabber-server-plugin

CVE-2019-13416 Vulnerability in maven package com.floragunn:search-guard-6

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.12

CVE-2020-26272 Vulnerability in npm package electron

CVE-2019-10249 Vulnerability in maven package org.eclipse.xtext:org.eclipse.xtext.maven.parent

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Tags

Release Notes Vendor Advisory Third Party Advisory Patch