Description
Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details.
Remediation
References
https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
https://security.netapp.com/advisory/ntap-20210319-0003/
Related Vulnerabilities
CVE-2023-27474 Vulnerability in npm package directus
CVE-2016-0790 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2018-8010 Vulnerability in maven package org.apache.solr:solr-core
CVE-2023-6835 Vulnerability in maven package org.wso2.carbon.apimgt:org.wso2.carbon.forum
CVE-2017-2650 Vulnerability in maven package cprice404:pipeline-classpath