{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-14T00:00:00Z",
  "bugzilla" : {
    "description" : "elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure",
    "id" : "1923181",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1923181"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-522",
  "details" : [ "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2" ],
  "affected_release" : [ {
    "product_name" : "RHAF Camel-K 1.8",
    "release_date" : "2022-09-09T00:00:00Z",
    "advisory" : "RHSA-2022:6407",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "elasticsearch",
    "impact" : "low"
  }, {
    "product_name" : "RHINT Camel-Q 2.7",
    "release_date" : "2022-07-19T00:00:00Z",
    "advisory" : "RHSA-2022:5606",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2.7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Will not fix",
    "package_name" : "elasticsearch",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "elasticsearch",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Integration Camel Quarkus 1",
    "fix_state" : "Not affected",
    "package_name" : "elasticsearch",
    "cpe" : "cpe:/a:redhat:camel_quarkus:2",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "elasticsearch",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "openshift3/ose-logging-elasticsearch5",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-logging-elasticsearch5",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift4/ose-logging-elasticsearch6",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Will not fix",
    "package_name" : "elasticsearch",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-22132\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-22132\nhttps://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164" ],
  "name" : "CVE-2021-22132",
  "csaw" : false
}