CVE-2020-7021

Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.

CVSS v3 4.9 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915	Vendor Advisory
https://security.netapp.com/advisory/ntap-20210319-0003/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:elastic:elasticsearch::::::::
	cpe:2.3:a:elastic:elasticsearch::::::::

History

No history.

Information

Published : 2021-02-10 19:15

Updated : 2024-02-28 18:08

NVD link : CVE-2020-7021

Mitre link : CVE-2020-7021

CVE.ORG link : CVE-2020-7021

JSON object : View

Products Affected

elastic

elasticsearch

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-7021", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2021-02-10T19:15:11.870", "references": [{"url": "https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915", "tags": ["Vendor Advisory"], "source": "bressers@elastic.co"}, {"url": "https://security.netapp.com/advisory/ntap-20210319-0003/", "tags": ["Third Party Advisory"], "source": "bressers@elastic.co"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}, {"type": "Secondary", "source": "bressers@elastic.co", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details."}, {"lang": "es", "value": "Las versiones de Elasticsearch versiones anteriores a 7.10.0 y 6.8.14, presentan un problema de divulgaci\u00f3n de informaci\u00f3n cuando se habilita el registro de auditor\u00eda y la opci\u00f3n emit_request_body. El registro de auditor\u00eda de Elasticsearch podr\u00eda contener informaci\u00f3n confidencial como un hash de contrase\u00f1a o tokens de autenticaci\u00f3n. Esto podr\u00eda permitir a un administrador de Elasticsearch visualizar estos detalles"}], "lastModified": "2021-03-26T12:49:51.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E29B130D-9A66-4C56-BE6C-2388CF0475DF", "versionEndExcluding": "6.8.14"}, {"criteria": "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "846651C1-223C-413E-8FF5-7EC836A5C2BD", "versionEndExcluding": "7.10.0", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "bressers@elastic.co"}