CVE-2021-22145 (Medium) detected in elasticsearch-7.12.1.jar - autoclosed
mend-bolt-for-github opened this issue · comments
CVE-2021-22145 - Medium Severity Vulnerability
Vulnerable Library - elasticsearch-7.12.1.jar
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: renfeid/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/7.12.1/elasticsearch-7.12.1.jar
Dependency Hierarchy:
- spring-boot-starter-data-elasticsearch-2.5.6.jar (Root Library)
- spring-data-elasticsearch-4.2.6.jar
- elasticsearch-rest-high-level-client-7.12.1.jar
- ❌ elasticsearch-7.12.1.jar (Vulnerable Library)
- elasticsearch-rest-high-level-client-7.12.1.jar
- spring-data-elasticsearch-4.2.6.jar
Found in HEAD commit: 36d307f7ce5b9e7daa672f8b6060e4a4b738b9f4
Found in base branch: master
Vulnerability Details
A memory disclosure vulnerability was identified in Elasticsearch 7.10.0 to 7.13.3 error reporting. A user with the ability to submit arbitrary queries to Elasticsearch could submit a malformed query that would result in an error message returned containing previously used portions of a data buffer. This buffer could contain sensitive information such as Elasticsearch documents or authentication details.
Publish Date: 2021-07-21
URL: CVE-2021-22145
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177
Release Date: 2021-07-21
Fix Resolution: org.elasticsearch:elasticsearch:7.13.4
Step up your Open Source Security Game with WhiteSource here
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
ℹ️ This issue was automatically re-opened by WhiteSource because the vulnerable library in the specific branch(es) has been detected in the WhiteSource inventory.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.