CVE-2022-31022

Name of the Vulnerable Software and Affected Versions Bleve (affected versions not specified)

Description The issue concerns the bleve/http package, which is used for demonstration purposes and lacks authentication, authorization, and validation of user inputs. This allows attackers to exploit a node's filesystem where the bleve index resides, creating a bleve index or deleting directories recursively. Users who have used the bleve/http package without explicit handling for Role-Based Access Controls (RBAC) are impacted.

Recommendations Do not use the bleve/http package in production use cases, as it is intended for demonstration purposes only. As a temporary workaround, consider disabling the CreateIndexHandler and DeleteIndexHandler functions until alternative measures are implemented. Restrict access to the bleve index to minimize the risk of exploitation. Avoid using the bleve/http package without implementing explicit Role-Based Access Controls (RBAC) for the index assets. At the moment, there is no information about a newer version that contains a fix for this vulnerability.