Vulnerability Description
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Elastic | Elasticsearch | < 6.8.14 |
Related Weaknesses (CWE)
References
- https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210319-0003/Third Party Advisory
- https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263Vendor Advisory
- https://security.netapp.com/advisory/ntap-20210319-0003/Third Party Advisory
FAQ
What is CVE-2020-7021?
CVE-2020-7021 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive...
How severe is CVE-2020-7021?
CVE-2020-7021 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7021?
Check the references section above for vendor advisories and patch information. Affected products include: Elastic Elasticsearch.