CVE-2018-17247XML External Entity (XXE) Injection in Elasticsearch

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 48.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Elastic Elasticsearch
Timeline
PublishedDec 20
Latest updateMay 13

Description

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5elastic/elasticsearch6.5.0 and 6.5.1
NVDelastic/elasticsearch6.5.0, 6.5.1+1

🔴Vulnerability Details

3
OSV
Improper Restriction of XML External Entity Reference in Elasticsearch2022-05-13
GHSA
Improper Restriction of XML External Entity Reference in Elasticsearch2022-05-13
CVEList
CVE-2018-17247: Elasticsearch Security versions 62018-12-20
CVE-2018-17247 — XML External Entity (XXE) Injection | cvebase