Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process.
b31e33f0be2db96a5fdb079e65aaf1b8bd17143da9e03e617b58e897d6aa2937Summary:
Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory traversal attack that allows an attacker to retrieve files that are readable by the Elasticsearch JVM process.
We have been assigned CVE-2015-5531 for this issue.
Fixed versions:
Versions 1.6.1 and 1.7.0 address the vulnerability.
Remediation:
Users should upgrade to the 1.6.1 or 1.7.0 releases. Users that do not wish to upgrade can use a firewall, reverse proxy, or Shield to prevent snapshot API calls from untrusted sources.
CVSS
Overall CVSS score: 2.6
Credits:
Benjamin Smith reported the issue.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed