CVE-2020-7021
First published: Wed Feb 10 2021(Updated: )
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | <6.8.14 | |
| Elastic Elasticsearch | >=7.0.0<7.10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-7021?
CVE-2020-7021 is a vulnerability in Elasticsearch versions before 7.10.0 and 6.8.14 that allows for information disclosure when audit logging and the emit_request_body option is enabled.
What is the severity of CVE-2020-7021?
The severity of CVE-2020-7021 is medium.
How does CVE-2020-7021 affect Elasticsearch?
CVE-2020-7021 affects Elasticsearch versions before 7.10.0 and 6.8.14 by potentially exposing sensitive information such as password hashes or authentication tokens in the Elasticsearch audit log.
How can I fix CVE-2020-7021?
To fix CVE-2020-7021, it is recommended to upgrade Elasticsearch to version 7.10.0 or 6.8.14, or apply the necessary security updates provided by Elastic.
Are there any references for CVE-2020-7021?
Yes, you can find more information about CVE-2020-7021 at the following references: [1] [2]
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/7.0.0