Information Disclosure Affecting org.elasticsearch:elasticsearch Open this link in a new tab package, versions [7.7.0,7.10.2)
Do your applications use this vulnerable package?
18 Jan 2021
15 Jan 2021
How to fix?
org.elasticsearch:elasticsearch to version 7.10.2 or higher.
org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.
Affected versions of this package are vulnerable to Information Disclosure. An information disclosure flaw exists in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the
.tasks index could obtain sensitive request headers of other users in the cluster.