{ "threat_severity" : "Moderate", "public_date" : "2025-10-10T09:56:15Z", "bugzilla" : { "description" : "org.elasticsearch/elasticsearch-core: Elasticsearch Insertion of sensitive information in log file", "id" : "2403034", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2403034" }, "cvss3" : { "cvss3_base_score" : "5.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "draft" }, "cwe" : "CWE-532", "details" : [ "Insertion of sensitive information in log file in Elasticsearch can lead to loss of confidentiality under specific preconditions when auditing requests to the reindex API https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex", "A lack of log sanitization has been discovered in Elasticsearch. This issue arises under specific preconditions when auditing requests to the reindex API. Users of affected versions should inspect their logs if they are concerned about confidentiality loss." ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "elasticsearch-core", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/elasticsearch6-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/elasticsearch-operator-bundle", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/elasticsearch-proxy-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/elasticsearch-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/logging-curator5-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Fix deferred", "package_name" : "elasticsearch-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Fix deferred", "package_name" : "elasticsearch-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "elasticsearch-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "elasticsearch-core", "cpe" : "cpe:/a:redhat:jbosseapxp" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-37727\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-37727\nhttps://discuss.elastic.co/t/elasticsearch-8-18-8-8-19-5-9-0-8-9-1-5-security-update-esa-2025-18/382453\nhttps://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-reindex" ], "name" : "CVE-2025-37727", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }