CVE-2015-5531
published 2015-08-17CVE-2015-5531: Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API…
PriorityP279medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.75%
99.8th percentile
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | >= 0 < 1.7.3+dfsg-3 | 1.7.3+dfsg-3 |
| elasticsearch | elasticsearch | <= 1.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP 400 response body containing both 'ElasticsearchParseException' and 'Failed to derive xcontent from' alongside a byte array (e.g. '114, 111, 111, 116, 58') is a reliable indicator of successful path traversal file read via the Snapshot API. ↗
- →Detect path traversal attempts in Snapshot API requests by looking for percent-encoded traversal sequences (%2f..%2f) in GET/PUT requests to the /_snapshot/ endpoint. ↗
- →A SnapshotMissingException error response containing an absolute filesystem path (e.g. /var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwd) in the error body indicates path traversal exploitation and can reveal the server's repo base path. ↗
- →Exploitation requires two preparatory PUT /_snapshot/ requests to create nested repo directories (one as the base, one as 'snapshot-<name>' inside it) before the traversal GET request. Monitor for sequential PUT requests to /_snapshot/ with 'fs' type and nested 'location' paths. ↗
- →The FOFA query 'index_not_found_exception' can be used to identify exposed Elasticsearch instances potentially vulnerable to this CVE. ↗
- →File contents are returned as a comma-separated integer (byte) array inside the ElasticsearchParseException error message. Decode the array to recover the exfiltrated file content. ↗
- ·Exploitation requires 'path.repo' to be configured and writable by the Elasticsearch process in elasticsearch.yml. Without this setting, the preparatory snapshot directory creation steps will fail. ↗
- ·The traversal bypasses the mandatory 'snapshot-' prefix enforced server-side by first creating a known relative path (e.g. dsr/snapshot-ev1l) and then traversing out of it. ↗
- ·Files are read with JVM process privileges, not necessarily root. The scope of readable files depends on the OS user running Elasticsearch. ↗
- ·Affected versions are Elasticsearch 1.0.0 through 1.6.0. Red Hat Satellite 6.x and Subscription Asset Manager 1.x ship unaffected versions. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
osv·2022-05-14
CVE-2015-5531 [MEDIUM] Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
GHSA
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
ghsa·2022-05-14
CVE-2015-5531 [MEDIUM] CWE-22 Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
OSV
CVE-2015-5531: Directory traversal vulnerability in Elasticsearch before 1
osv·2015-08-17·CVSS 5.0
CVE-2015-5531 [MEDIUM] CVE-2015-5531: Directory traversal vulnerability in Elasticsearch before 1
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
VulnCheck
Elastic Elasticsearch Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.0
CVE-2015-5531 [MEDIUM] Elastic Elasticsearch Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Elastic Elasticsearch Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Affected: Elastic Elasticsearch
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points
Exploit PoC: https://vulncheck.com/xdb/6afe112371ff; https://vulncheck.com/xdb/bf7c15878cf8
Red Hat
elasticsearch: directory traversal attack
vendor_redhat·2015-07-16·CVSS 5.0
CVE-2015-5531 [MEDIUM] CWE-22 elasticsearch: directory traversal attack
elasticsearch: directory traversal attack
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Statement: This issue does not affect the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x.
Mitigation: Constrain access to the snapshot API to trusted sources.
Package: elasticsearch (Red Hat Satellite 6) - Not affected
Package: elasticsearch (Red Hat Subscription Asset Manager) - Not affected
No detection rules found.
Exploit-DB
ElasticSearch 1.6.0 - Arbitrary File Download
exploitdb·2015-10-02·CVSS 5.0
CVE-2015-5531 [MEDIUM] ElasticSearch 1.6.0 - Arbitrary File Download
ElasticSearch 1.6.0 - Arbitrary File Download
---
# elasticpwn Script for ElasticSearch url path traversal vuln. CVE-2015-5531
```
[crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
!dSR script for CVE-2015-5531
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
curl http://exploitlab.int:9200/_snapshot/?pretty
{
"pwn" : {
"type" : "fs",
"settings" : {
"location" : "dsr"
}
},
"
Nuclei
ElasticSearch <1.6.1 - Local File Inclusion
nuclei·CVSS 5.0
CVE-2015-5531 [MEDIUM] ElasticSearch <1.6.1 - Local File Inclusion
ElasticSearch <1.6.1 - Local File Inclusion
ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Template:
id: CVE-2015-5531
info:
name: ElasticSearch <1.6.1 - Local File Inclusion
author: princechaddha
severity: medium
description: ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
impact: |
Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.
remediation: |
Upgrade ElasticSearch to version 1.6.1 or later to mitigate the vulnerability.
reference:
- https://github.com/vulhub/vulhub/tree/master/elasticsea
Metasploit
ElasticSearch Snapshot API Directory Traversal
metasploit
ElasticSearch Snapshot API Directory Traversal
ElasticSearch Snapshot API Directory Traversal
'This module exploits a directory traversal vulnerability in ElasticSearch, allowing an attacker to read arbitrary files with JVM process privileges, through the Snapshot API.'
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2015-5531 elasticsearch: directory traversal attack
bugzilla·2015-07-17·CVSS 5.0
CVE-2015-5531 [MEDIUM] CVE-2015-5531 elasticsearch: directory traversal attack
CVE-2015-5531 elasticsearch: directory traversal attack
It was reported that Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack.
Mitigation:
Constrain access to the snapshot API to trusted sources.
Discussion:
Created elasticsearch tracking bugs for this issue:
Affects: fedora-all [bug 1244239]
---
Statement:
This issue does not affect the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x.
Bugzilla
CVE-2015-5377 CVE-2015-5531 elasticsearch: various flaws [fedora-all]
bugzilla·2015-07-17·CVSS 9.8
CVE-2015-5377 [CRITICAL] CVE-2015-5377 CVE-2015-5531 elasticsearch: various flaws [fedora-all]
CVE-2015-5377 CVE-2015-5531 elasticsearch: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora.
http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.htmlhttp://packetstormsecurity.com/files/133964/ElasticSearch-Snapshot-API-Directory-Traversal.htmlhttp://www.securityfocus.com/archive/1/536017/100/0/threadedhttp://www.securityfocus.com/bid/75935https://www.elastic.co/community/security/https://www.exploit-db.com/exploits/38383/http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.htmlhttp://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.htmlhttp://packetstormsecurity.com/files/133964/ElasticSearch-Snapshot-API-Directory-Traversal.htmlhttp://www.securityfocus.com/archive/1/536017/100/0/threadedhttp://www.securityfocus.com/bid/75935https://www.elastic.co/community/security/https://www.exploit-db.com/exploits/38383/
2015-08-17
Published
Exploited in the wild