CVE-2021-22140: XEE
First published: Thu May 13 2021(Updated: )
Elastic App Search versions after 7.11.0 and before 7.12.0 contain an XML External Entity Injection issue (XXE) in the App Search web crawler beta feature. Using this vector, an attacker whose website is being crawled by App Search could craft a malicious sitemap.xml to traverse the filesystem of the host running the instance and obtain sensitive files.
Credit: bressers@elastic.co
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Elastic Elastic App Search | >=7.11.0<7.12.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-22140?
CVE-2021-22140 is an XML External Entity Injection (XXE) vulnerability in Elastic App Search versions after 7.11.0 and before 7.12.0.
What is the severity of CVE-2021-22140?
CVE-2021-22140 has a severity of 7.5 (high).
What is affected by CVE-2021-22140?
Elastic App Search versions after 7.11.0 and before 7.12.0 are affected by CVE-2021-22140.
How does CVE-2021-22140 work?
CVE-2021-22140 allows an attacker to craft a malicious sitemap.xml to traverse the filesystem of the server hosting Elastic App Search.
How can I fix CVE-2021-22140?
To fix CVE-2021-22140, update Elastic App Search to version 7.12.0 or later.
- collector/nvd-index
- agent/tags
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/elastic
- canonical/elastic elastic app search
- version/elastic elastic app search/7.11.0