CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2018-17247

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 53.7%

CVSS Severity

CVSS v3 Score 5.9

CVSS v2 Score 4.3

References

http://www.securityfocus.com/bid/106294
https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594
https://www.elastic.co/community/security
http://www.securityfocus.com/bid/106294
https://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594
https://www.elastic.co/community/security

Products affected by CVE-2018-17247

Elastic » Elasticsearch » Version: 6.5.0

cpe:2.3:a:elastic:elasticsearch:6.5.0
Elastic » Elasticsearch » Version: 6.5.1

cpe:2.3:a:elastic:elasticsearch:6.5.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2018-17247

Products

Pricing

Contact Us