Main Vulnerability Database SB2015050102

SB2015050102 - Path traversal in Elasticsearch

Published: May 1, 2015 Updated: February 11, 2021

Security Bulletin ID SB2015050102

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2015-3337)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled,. A remote authenticated attacker can send a specially crafted HTTP request and remote attackers to read arbitrary files via unspecified vectors.

Remediation

Install update from vendor's website.

References

http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
http://www.debian.org/security/2015/dsa-3241
http://www.securityfocus.com/archive/1/535385
http://www.securityfocus.com/bid/74353
https://www.elastic.co/community/security
https://www.exploit-db.com/exploits/37054/