Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Elastic Elasticsearch Security Information Disclosure Vulnerability (ESA-2018-19)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Elasticsearch Security is prone to an information disclosure vulnerability.
Insight
Insight
Elasticsearch Security contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. Please note: by default Elasticsearch has the Java Security Manager enabled with policies which will cause this attack to fail.
Affected Software
Affected Software
Elasticsearch Security versions 6.5.0 and 6.5.1.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 6.5.2 or later.