FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

elasticsearch -- directory traversal attack with site plugins

Affected packages
elasticsearch < 1.4.5
1.5.0 <= elasticsearch < 1.5.2

Details

VuXML ID a71e7440-1ba3-11e5-b43d-002590263bf5
Discovery 2015-04-27
Entry 2015-06-26

Elastic reports:

Vulnerability Summary: All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.

Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.

[source]

References

Bugtraq ID 74353
CVE Name CVE-2015-3337
URL http://www.securityfocus.com/archive/1/535385
URL https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
URL https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released
URL https://www.elastic.co/community/security
URL https://www.exploit-db.com/exploits/37054/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.