Description
Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Elastic / Elasticsearch7.0.0 – 7.17.29
- Elastic / Elasticsearch8.0.0 – 8.18.7
- Elastic / Elasticsearch8.19.0 – 8.19.4
- Elastic / Elasticsearch9.0.0 – 9.0.7
- Elastic / Elasticsearch9.1.0 – 9.1.4