Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-6439

Опубликовано: 01 окт. 2014
Источник: redhat
CVSS2: 1.9
EPSS Низкий

Описание

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Отчет

This issue affects the versions of elasticsearch as shipped with Red Hat Satellite 6.x and Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Меры по смягчению последствий

As provided at http://www.elasticsearch.org/community/security/, Users should either set "http.cors.enabled" to false, or set "http.cors.allow-origin" to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases. For Satellite 6.x and Sam 1.x you can simply firewall elasticsearch to trusted users only (e.g. root, katello, foreman). For instructions on this please see: https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/6.0/html-single/Installation_Guide/index.html#sect-Red_Hat_Satellite-Installation_Guide-Red_Hat_Satellite_Installation-Configuring_Red_Hat_Satellite_Manually

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Enterprise Web Server 1amq-6Under investigation
Red Hat JBoss Enterprise Web Server 1fuse-6Under investigation
Red Hat JBoss Enterprise Web Server 1fuse-esb-7Under investigation
Red Hat JBoss Enterprise Web Server 1fuse-mc-7Under investigation
Red Hat JBoss Enterprise Web Server 1fuse-mq-7Under investigation
Red Hat Satellite 6DiscoveryUnder investigation
Red Hat Subscription Asset ManagerelasticsearchWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
Дефект:
CWE-345->CWE-352
https://bugzilla.redhat.com/show_bug.cgi?id=1149945Elasticsearch: CSRF via insecure CORS default configuration

EPSS

Процентиль: 60%
0.00397
Низкий

1.9 Low

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-6439

ubuntu
больше 11 лет назад

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

nvd логотип

CVE-2014-6439

nvd
больше 11 лет назад

Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

debian логотип

CVE-2014-6439

debian
больше 11 лет назад

Cross-site scripting (XSS) vulnerability in the CORS functionality in ...

github логотип

GHSA-8699-m855-cwqf

github
больше 3 лет назад

Cross-site scripting in Elasticsearch

EPSS

Процентиль: 60%
0.00397
Низкий

1.9 Low

CVSS2