CVE-2018-17247

Published: Dec 20, 2018Modified: Nov 21, 2024

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.

Affected (2)

Products: Elastic: Elasticsearch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Elastic Elasticsearch	Version 6.5.0
Elastic Elasticsearch	Version 6.5.1

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (6)

http://www.securityfocus.com/bid/106294

Source: security@elastic.co

Third Party AdvisoryVDB Entry

https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594

Source: security@elastic.co

Vendor Advisory

https://www.elastic.co/community/security

Source: security@elastic.co

Vendor Advisory

http://www.securityfocus.com/bid/106294

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.elastic.co/community/security

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.