CVE-2018-17247
low-risk
Published 2018-12-20
Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning's find_file_structure API. If a policy allowing external network access has been added to Elasticsearch's Java Security Manager then an attacker could send a specially crafted request capable of leaking content of local files on the Elasticsearch node. This could allow a user to access information that they should not have access to.
Do I need to act?
-
0.28% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10
Medium
NETWORK
/ HIGH complexity
Affected Products (2)
Affected Vendors
References (6)
Third Party Advisory
http://www.securityfocus.com/bid/106294
Vendor Advisory
https://www.elastic.co/community/security
Third Party Advisory
http://www.securityfocus.com/bid/106294
Vendor Advisory
https://www.elastic.co/community/security
26
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
7/34 · Low