CVE-2018-17247

描述

Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.

受影響套件(1)

• Maven/org.elasticsearch:elasticsearch>= 6.5.0, < 6.5.2

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-17247
• WEBhttps://discuss.elastic.co/t/elastic-stack-6-5-2-security-update/159594
• WEBhttps://www.elastic.co/community/security
• WEBhttp://www.securityfocus.com/bid/106294