CVE-2018-17247: XEE
First published: Thu Dec 20 2018(Updated: )
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elasticsearch | =6.5.0 | |
| Elastic Elasticsearch | =6.5.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Elasticsearch security vulnerability?
The vulnerability ID for this Elasticsearch security vulnerability is CVE-2018-17247.
What is the severity level of CVE-2018-17247?
CVE-2018-17247 has a severity level of medium.
Which versions of Elasticsearch Security are affected by CVE-2018-17247?
CVE-2018-17247 affects Elasticsearch Security versions 6.5.0 and 6.5.1.
What is the risk of CVE-2018-17247?
CVE-2018-17247 has a risk rating of 5.9.
How can I fix CVE-2018-17247?
To fix CVE-2018-17247, update Elasticsearch Security to a version that is not vulnerable.
- collector/nvd-index
- vendor/elastic
- canonical/elastic elasticsearch
- version/elastic elasticsearch/6.5.0
- version/elastic elasticsearch/6.5.1