mend-bolt-for-github[bot]
commented
3 years ago :heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2021-22132 - Medium Severity Vulnerability
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: www.renfei.net/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.9.3/elasticsearch-7.9.3.jar
Dependency Hierarchy: - spring-boot-starter-data-elasticsearch-2.4.5.jar (Root Library) - spring-data-elasticsearch-4.1.8.jar - elasticsearch-rest-high-level-client-7.9.3.jar - :x: **elasticsearch-7.9.3.jar** (Vulnerable Library)
Found in base branch: master
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2
Publish Date: 2021-01-14
URL: CVE-2021-22132
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-5fvx-2jj3-6mff
Release Date: 2021-01-14
Fix Resolution: org.elasticsearch:elasticsearch:7.10.2
Step up your Open Source Security Game with WhiteSource here