{"containers": {"cna": {"affected": [{"product": "Elasticsearch", "vendor": "Elastic", "versions": [{"status": "affected", "version": "7.7.0 to 7.10.1"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:24:15", "orgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "shortName": "elastic"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@elastic.co", "ID": "CVE-2021-22132", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Elasticsearch", "version": {"version_data": [{"version_value": "7.7.0 to 7.10.1"}]}}]}, "vendor_name": "Elastic"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522: Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164", "refsource": "MISC", "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210219-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:30:23.958Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"}]}]}, "cveMetadata": {"assignerOrgId": "271b6943-45a9-4f3a-ab4e-976f3fa05b5a", "assignerShortName": "elastic", "cveId": "CVE-2021-22132", "datePublished": "2021-01-14T19:20:12", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:30:23.958Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB1F6EA5-5747-4DB0-BD17-148468730A3F", "versionEndExcluding": "7.10.2", "versionStartIncluding": "7.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "98FB24DB-AF91-48D0-9CA5-C8250D183FD5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"}, {"lang": "es", "value": "Elasticsearch versiones 7.7.0 hasta 7.10.1, contienen un fallo de divulgaci\u00f3n de informaci\u00f3n en la API de b\u00fasqueda as\u00edncrona. Los usuarios que ejecutan una b\u00fasqueda as\u00edncrona almacenar\u00e1n inapropiadamente los encabezados HTTP. Un usuario de Elasticsearch con la capacidad de leer el \u00edndice .tasks podr\u00eda obtener encabezados de petici\u00f3n confidenciales de otros usuarios en el cl\u00faster. Este problema es corregido en Elasticsearch versi\u00f3n 7.10.2"}], "id": "CVE-2021-22132", "lastModified": "2024-11-21T05:49:34.050", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-14T20:15:13.407", "references": [{"source": "bressers@elastic.co", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"}, {"source": "bressers@elastic.co", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"}, {"source": "bressers@elastic.co", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210219-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "bressers@elastic.co", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "bressers@elastic.co", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "impact": "low", "package": "elasticsearch", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:5606", "cpe": "cpe:/a:redhat:camel_quarkus:2.7", "impact": "low", "package": "elasticsearch", "product_name": "RHINT Camel-Q 2.7", "release_date": "2022-07-19T00:00:00Z"}], "bugzilla": {"description": "elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure", "id": "1923181", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923181"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-522", "details": ["Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2"], "name": "CVE-2021-22132", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "elasticsearch", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "impact": "low", "package_name": "elasticsearch", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "elasticsearch", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "openshift3/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch5", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-logging-elasticsearch6", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "elasticsearch", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-01-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-22132\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22132\nhttps://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"], "threat_severity": "Moderate"}