Elasticsearch versions before 7.10.0 and 6.8.14 have an information disclosure issue when audit logging and the emit_request_body option is enabled. The Elasticsearch audit log could contain sensitive information such as password hashes or authentication tokens. This could allow an Elasticsearch administrator to view these details. References: https://discuss.elastic.co/t/elastic-stack-7-11-0-and-6-8-14-security-update/263915
Created python-elasticsearch tracking bugs for this issue: Affects: epel-all [bug 1927482] Affects: fedora-all [bug 1927483] Affects: openstack-rdo [bug 1927481]
The audit logging requires xpack security audit plugin and GOLD/PLATINUM/ENTERPRISE subscription. So the vulnerable component is not available in the opensource version.
Setting Hosting OCP "notaffected" per - http://localhost:5600/static/#/flaw/1927480#comment3 - http://localhost:5600/static/#/task/1927488?tab=product_subtasks_cloudplatform#comment1