PT-2021-14868 · Elastic · App Search
Dominic Couture
·
Published
2021-05-13
·
Updated
2021-05-21
·
CVE-2021-22140
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Elastic App Search versions after 7.11.0 and before 7.12.0
Description:
The issue is an XML External Entity Injection (XXE) problem in the App Search web crawler beta feature. An attacker can exploit this by crafting a malicious sitemap.xml file, allowing them to traverse the filesystem of the host running the instance and obtain sensitive files.
Recommendations:
For Elastic App Search versions after 7.11.0 and before 7.12.0, consider disabling the App Search web crawler beta feature until a patch is available to prevent potential exploitation.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
App Search