Information disclosure in Elasticsearch

1) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU50604

Risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-7021

CWE-ID: CWE-532 - Information Exposure Through Log Files

Exploit availability: No

Description

The vulnerability allows a remote administrator to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files, when audit logging and the emit_request_body option is enabled. The Elasticsearch administrator can view the audit log and obtain password hashes or authentication tokens in clear text.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Elasticsearch: 6.0.0 - 7.9.3

CPE2.3

• cpe:2.3:a:elastic_stack:elasticsearch:6.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.1.2:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.1.3:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.1.4:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:elastic_stack:elasticsearch:6.2.2:*:*:*:*:*:*:*

External links

https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/release-notes-6.8.14.html#release-notes-6.8.14
https://www.elastic.co/community/security#ESA-2021-03

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.