Information Exposure Affecting org.elasticsearch:elasticsearch Open this link in a new tab package, versions [7.10.0, 7.13.4)


0.0
medium
  • Exploit Maturity

    Mature

  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGELASTICSEARCH-1324571

  • published

    13 Jan 2022

  • disclosed

    22 Jul 2021

  • credit

    Unknown

How to fix?

Upgrade org.elasticsearch:elasticsearch to version 7.13.4 or higher.

Overview

org.elasticsearch:elasticsearch is a Distributed, RESTful Search Engine.

Affected versions of this package are vulnerable to Information Exposure. A memory disclosure vulnerability was identified in Elasticsearch within its error reporting component. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.