cbcvebase.
CVE-2015-3337
published 2015-05-01

CVE-2015-3337: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read…

PriorityP346medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
33.13%
98.2th percentile
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

Affected

3 ranges
VendorProductVersion rangeFixed in
elasticsearchelasticsearch<= 1.4.4
elasticsearchelasticsearch
elasticsearchelasticsearch

Detection & IOCsextracted from sources · hover to see the quote

  • ·Non-site plugins (Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, analysis plugins, river plugins) do not expose the vulnerability
  • ·Setting http.disable_sites=true in elasticsearch.yml mitigates the traversal but disables all site plugin functionality

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.