An information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. Upstream Reference: https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
Created python-elasticsearch tracking bugs for this issue: Affects: epel-all [bug 1923183] Affects: fedora-all [bug 1923185] Affects: openstack-rdo [bug 1923182]
Elasticsearch >=7.7.0 and < 7.10.2 are affected by this vulnerability. upstream fix: https://github.com/elastic/elasticsearch/pull/66294/files
External References: https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164
This issue has been addressed in the following products: RHINT Camel-Q 2.7 Via RHSA-2022:5606 https://access.redhat.com/errata/RHSA-2022:5606
This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407