CVE-2018-17247
published 2018-12-20CVE-2018-17247: Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access…
PriorityP434medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
1.38%
68.7th percentile
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | — | — |
| elastic | elasticsearch | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Restriction of XML External Entity Reference in Elasticsearch
osv·2022-05-13
CVE-2018-17247 [MEDIUM] Improper Restriction of XML External Entity Reference in Elasticsearch
Improper Restriction of XML External Entity Reference in Elasticsearch
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
GHSA
Improper Restriction of XML External Entity Reference in Elasticsearch
ghsa·2022-05-13
CVE-2018-17247 [MEDIUM] CWE-611 Improper Restriction of XML External Entity Reference in Elasticsearch
Improper Restriction of XML External Entity Reference in Elasticsearch
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/106294https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594https://www.elastic.co/community/securityhttp://www.securityfocus.com/bid/106294https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594https://www.elastic.co/community/security
2018-12-20
Published