Elasticsearch authorization-header storage issue (ESA-2021-01)
An information disclosure flaw was found in the Elasticsearch async search API. Users who execute an async search will store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster.
Affected Versions:
All Elasticsearch versions starting with 7.7.0 and before 7.10.2
Solutions and Mitigations:
Users should upgrade to Elasticsearch 7.10.2. There is no known workaround for this issue.
CVSSv3: 4.8 - AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
CVE ID: CVE-2021-22132