CVE-2021-22132: Insufficiently Protected Credentials

March 18, 2021

Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2

References

discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
github.com/advisories/GHSA-5fvx-2jj3-6mff
nvd.nist.gov/vuln/detail/CVE-2021-22132
security.netapp.com/advisory/ntap-20210219-0004/

Detect and mitigate CVE-2021-22132 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →