Описание
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
A flaw was found in Elastic Enterprise Search. An attacker, using an XML External Entity Injection (XXE) issue in the App Search web crawler, could craft a malicious sitemap.xml allowing the crawler to traverse the filesystem of the host running the instance and obtain sensitive files. The highest threat from this vulnerability is to data confidentiality.
Отчет
This vulnerability only affects the 'App Search web crawler beta feature' for Elastic Enterprise Search, as noted in the Elastic.co advisory [1]. That feature is not available in the upstream elasticsearch open source namespace on Github [2]. [1] https://discuss.elastic.co/t/7-12-1-security-update/271433 [2] https://github.com/elastic
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Service Mesh 1 | servicemesh-grafana | Not affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Not affected | ||
| Red Hat Decision Manager 7 | elasticsearch | Not affected | ||
| Red Hat Fuse 7 | elasticsearch | Not affected | ||
| Red Hat Integration Camel K 1 | elasticsearch | Not affected | ||
| Red Hat JBoss Data Grid 6 | elasticsearch | Not affected | ||
| Red Hat JBoss Fuse 6 | elasticsearch | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | elasticsearch | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch5 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
9.3 Critical
CVSS3
Связанные уязвимости
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
EPSS
9.3 Critical
CVSS3