CVE-2020-7021
Information Disclosure vulnerability in elasticsearch (Maven)
What is CVE-2020-7021 About?
This vulnerability in Elasticsearch versions prior to 7.10.0 and 6.8.14 leads to information disclosure if audit logging with the `emit_request_body` option is enabled. It can expose sensitive data like password hashes and authentication tokens to Elasticsearch administrators. Exploitation requires administrative access to view logs, but the sensitive data itself becomes easily accessible.
Affected Software
- org.elasticsearch:elasticsearch
- <6.8.14
- >=7.0.0, <7.10.0
Technical Details
The vulnerability occurs when Elasticsearch's audit logging is configured with the emit_request_body option enabled. In this configuration, the audit logs, which are accessible to Elasticsearch administrators, will contain full request bodies. If these request bodies include sensitive information, such as user-submitted forms containing password hashes or authentication tokens (e.g., in API calls), this data will be written in plain text or a recoverable format into the log files. Therefore, any Elasticsearch administrator with access to these logs can view this sensitive information, directly compromising user credentials or session tokens.
What is the Impact of CVE-2020-7021?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, such as password hashes and authentication tokens, potentially leading to privilege escalation or unauthorized access to other systems.
What is the Exploitability of CVE-2020-7021?
Exploitation of this information disclosure vulnerability requires an attacker to have administrative access to the Elasticsearch instance to view the audit logs. The prerequisite is that the emit_request_body option must be enabled in the audit logging configuration, which is not the default. No direct authentication to exploit the flaw itself is needed beyond access to the logs, as the sensitive data is already present. This is a local exploitation scenario where an authorized administrator can access inadvertently logged sensitive data. The complexity is low once administrative access is obtained and the logging configuration is known.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-7021?
Available Upgrade Options
- org.elasticsearch:elasticsearch
- <6.8.14 → Upgrade to 6.8.14
- org.elasticsearch:elasticsearch
- >=7.0.0, <7.10.0 → Upgrade to 7.10.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2020-7021
- https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
- https://security.netapp.com/advisory/ntap-20210319-0003/
- https://github.com/elastic/elasticsearch
- https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
- https://osv.dev/vulnerability/GHSA-cqgv-256r-m9r8
- https://security.netapp.com/advisory/ntap-20210319-0003
What are Similar Vulnerabilities to CVE-2020-7021?
Similar Vulnerabilities: CVE-2019-10156 , CVE-2021-23393 , CVE-2022-31195 , CVE-2023-38407 , CVE-2017-1000251
