[MAVEN:GHSA-FH5X-4J57-6Q5X] Improper Access Control in Elasticsearch

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

The snapshot API in Elasticsearch before 1.6.0 when another application exists on the system that can read Lucene files and execute code from them, is accessible by the attacker, and the Java VM on which Elasticsearch is running can write to a location that the other application can read and execute from, allows remote authenticated users to write to and create arbitrary snapshot metadata files, and potentially execute arbitrary code.

Package	Affected Version
pkg:maven/org.elasticsearch/elasticsearch	< 1.6.0

Package	Fixed Version
pkg:maven/org.elasticsearch/elasticsearch	= 1.6.0

ID

MAVEN:GHSA-FH5X-4J57-6Q5X

Severity

high

URL

https://github.com/advisories/GHSA-fh5x-4j57-6q5x

Published

2022-05-14T02:48:29
(2 years ago)

Modified

2023-01-27T05:02:21
(20 months ago)

Rights

Maven Security Team

Other Advisories

FREEBSD:23232028-1BA4-11E5-B43D-002590263BF5

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2015-4165
			https://bugzilla.redhat.com/show_bug.cgi?id=1230761
			https://www.elastic.co/community/security/
			http://packetstormsecurity.com/files/132234/Elasticsearch-1.5.2-File-Creation.html
			https://github.com/advisories/GHSA-fh5x-4j57-6q5x

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.elasticsearch/elasticsearch	org.elasticsearch	elasticsearch	< 1.6.0
Fixed	pkg:maven/org.elasticsearch/elasticsearch	org.elasticsearch	elasticsearch	= 1.6.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date