[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Elasticsearch CVE-2015-5531

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Elasticsearch CVE-2015-5531
From: Kevin Kluge <kevin@xxxxxxxxxx>
Date: Thu, 16 Jul 2015 10:19:58 -0700

Summary:
Elasticsearch versions from 1.0.0 to 1.6.0 are vulnerable to a directory 
traversal attack that allows an attacker to retrieve files that are readable by 
the Elasticsearch JVM process.  

We have been assigned CVE-2015-5531 for this issue.


Fixed versions:
Versions 1.6.1 and 1.7.0 address the vulnerability.  


Remediation:
Users should upgrade to the 1.6.1 or 1.7.0 releases.  Users that do not wish to 
upgrade can use a firewall, reverse proxy, or Shield to prevent snapshot API 
calls from untrusted sources.


CVSS
Overall CVSS score: 2.6


Credits:
Benjamin Smith reported the issue.

Prev by Date: Elasticsearch CVE-2015-5377
Next by Date: SEC Consult SA-20150716-0 :: Permanent Cross-Site Scripting in Oracle Application Express
Previous by thread: Elasticsearch CVE-2015-5377
Next by thread: SEC Consult SA-20150716-0 :: Permanent Cross-Site Scripting in Oracle Application Express
Index(es):
- Date
- Thread