Vulnerability CVE-2020-13956 reported on Elasticsearch 7.17.4

Hello,

vulnerability CVE-2020-13956 is reported on the httpclient-4.5.10.jar libraries of the reindex module of Elasticsearch (modules/reindex/httpclient-4.5.10.jar).

Are there any official statements regarding if this vulnerability does indeed apply to Elasticsearch 7.17.4, or any plan to upgrade httpclient to a version that does not have the vulnerability ?

If not, is there any way that I can help upgrading this dependency to a higher version ?

Thanks for your help on this.

Thank you for your report.

Elastic's security reporting guidelines are available at Security issues | Elastic.

Per those guidelines, all reports of potential security issues or vulnerabilities should be sent via email to security@elastic.co.

We are unable to discuss potential issues of this nature here. Please send your report to the email address above, where it can be appropriately handled.

I've sent an email to security@elastic.co, thank you @ikakavas.

Hi @ikakavas. I didn't get any answer to my email to security@elastic.co. Are there any other communication channel that can be used to discuss this type of topics ?

No. There is a queue and you will get an answer as soon as possible. If this is urgent on your side, please engage through your support engineer. Thank you for your patience.