CVE-2020-7021: Insertion of Sensitive Information into Log File in Elasticsearch
4.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60567%
CWE
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.elasticsearch:elasticsearch | maven | <= 6.8.13 | 6.8.14 |
org.elasticsearch:elasticsearch | maven | >= 7.0.0, <= 7.0.9 | 7.10.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly relates to audit logging with emit_request_body enabled. These functions are core components of Elasticsearch's audit logging system that would handle request body inclusion. The CWE-532 classification confirms this is a logging-sensitive-data issue. While exact code isn't available, Elasticsearch's architecture documentation and security advisories indicate these components manage request body logging. The patched versions likely added filtering in these functions.