cbcvebase.
CVE-2015-5531
published 2015-08-17

CVE-2015-5531: Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API…

PriorityP279medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
91.75%
99.8th percentile
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

Affected

2 ranges
VendorProductVersion rangeFixed in
elasticelasticsearch>= 0 < 1.7.3+dfsg-31.7.3+dfsg-3
elasticsearchelasticsearch<= 1.6.0

Detection & IOCsextracted from sources · hover to see the quote

urlPUT /_snapshot/test HTTP/1.1
urlGET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
path/_snapshot/
commandev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..
port9200
  • HTTP 400 response body containing both 'ElasticsearchParseException' and 'Failed to derive xcontent from' alongside a byte array (e.g. '114, 111, 111, 116, 58') is a reliable indicator of successful path traversal file read via the Snapshot API.
  • Detect path traversal attempts in Snapshot API requests by looking for percent-encoded traversal sequences (%2f..%2f) in GET/PUT requests to the /_snapshot/ endpoint.
  • A SnapshotMissingException error response containing an absolute filesystem path (e.g. /var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwd) in the error body indicates path traversal exploitation and can reveal the server's repo base path.
  • Exploitation requires two preparatory PUT /_snapshot/ requests to create nested repo directories (one as the base, one as 'snapshot-<name>' inside it) before the traversal GET request. Monitor for sequential PUT requests to /_snapshot/ with 'fs' type and nested 'location' paths.
  • The FOFA query 'index_not_found_exception' can be used to identify exposed Elasticsearch instances potentially vulnerable to this CVE.
  • File contents are returned as a comma-separated integer (byte) array inside the ElasticsearchParseException error message. Decode the array to recover the exfiltrated file content.
  • ·Exploitation requires 'path.repo' to be configured and writable by the Elasticsearch process in elasticsearch.yml. Without this setting, the preparatory snapshot directory creation steps will fail.
  • ·The traversal bypasses the mandatory 'snapshot-' prefix enforced server-side by first creating a known relative path (e.g. dsr/snapshot-ev1l) and then traversing out of it.
  • ·Files are read with JVM process privileges, not necessarily root. The scope of readable files depends on the OS user running Elasticsearch.
  • ·Affected versions are Elasticsearch 1.0.0 through 1.6.0. Red Hat Satellite 6.x and Subscription Asset Manager 1.x ship unaffected versions.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vulncheck5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.