{"id": "SECURITYVULNS:VULN:13990", "bulletinFamily": "software", "title": "elasticsearch weak CORS policy", "description": "Crossite requests to local network are possible.", "published": "2014-10-05T00:00:00", "modified": "2014-10-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13990", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31133"], "cvelist": ["CVE-2014-6439"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:57", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "0b36c502727462d99a444476446dd54b"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "c080e85db00a9d0e04a5ef2b309d17bf"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "ba3f8e85937e3afc2447c4a37912a324"}, {"key": "href", "hash": "b41395b75fd8d87f272b702972919f5b"}, {"key": "modified", "hash": "369b9f608451f47f7fe57a45258cfd0c"}, {"key": "published", "hash": "369b9f608451f47f7fe57a45258cfd0c"}, {"key": "references", "hash": "40e3f9ec9effabb19c0417b804caf5dc"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "0b89a207f8e3f6ac0abb52dc28124972"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "61ddd73449da6b389e56a19dd84835ed7891be37559e0593f514c3410a22fd55", "viewCount": 2, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2018-08-31T11:09:57"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-6439"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31133"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808506", "OPENVAS:1361412562310808092"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_5951FB491BA211E5B43D002590263BF5.NASL"]}, {"type": "freebsd", "idList": ["5951FB49-1BA2-11E5-B43D-002590263BF5"]}], "modified": "2018-08-31T11:09:57"}, "vulnersScore": 2.1}, "objectVersion": "1.3", "affectedSoftware": [{"name": "elasticsearch", "operator": "eq", "version": "1.3"}]}

{"cve": [{"lastseen": "2018-10-10T11:05:22", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in the CORS functionality in Elasticsearch before 1.4.0.Beta1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "modified": "2018-10-09T15:51:23", "published": "2014-10-09T21:55:11", "id": "CVE-2014-6439", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6439", "title": "CVE-2014-6439", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:54", "bulletinFamily": "software", "description": "\r\n\r\nSummary:\r\nElasticsearch versions 1.3.x and prior have a default configuration for\r\nCORS that allows an attacker to craft links that could cause a user\u2019s\r\nbrowser to send requests to Elasticsearch instances on their local network.\r\nThese requests could cause data loss or compromise.\r\n\r\nWe have been assigned CVE-2014-6439 for this issue.\r\n\r\n\r\nFixed versions:\r\nVersion 1.4.0 beta 1 and later change the default configuration.\r\n\r\n\r\nRemediation:\r\nUsers should either set \u201chttp.cors.enabled\u201d to false, or set\r\n\u201chttp.cors.allow-origin\u201d to the value of the server that should be allowed\r\naccess, such as localhost or a server hosting Kibana. Disabling CORS\r\nentirely with the former setting is more secure, but may not be suitable\r\nfor all use cases.\r\n\r\nCVSS\r\nOverall CVSS score: 5.3\r\n\r\nMore information:\r\nhttp://www.elasticsearch.org/blog/elasticsearch-1-4-0-beta-released/\r\n\r\n", "modified": "2014-10-05T00:00:00", "published": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31133", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31133", "title": "Elasticsearch vulnerability CVE-2014-6439", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-11-14T14:51:16", "bulletinFamily": "scanner", "description": "This host is running Elasticsearch\n and is prone to Cross-site Scripting (XSS) vulnerability.", "modified": "2018-11-13T00:00:00", "published": "2016-06-28T00:00:00", "id": "OPENVAS:1361412562310808506", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808506", "title": "Elasticsearch Cross-site Scripting (XSS) Vulnerability (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_elasticsearch_xss_vuln_lin.nasl 12338 2018-11-13 14:51:17Z asteins $\n#\n# Elasticsearch Cross-site Scripting (XSS) Vulnerability (Linux)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:elasticsearch:elasticsearch\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808506\");\n script_version(\"$Revision: 12338 $\");\n script_cve_id(\"CVE-2014-6439\");\n script_bugtraq_id(70233);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-28 18:37:05 +0530 (Tue, 28 Jun 2016)\");\n script_name(\"Elasticsearch Cross-site Scripting (XSS) Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Elasticsearch\n and is prone to Cross-site Scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Flaw is due to an error in the\n CORS functionality.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allows remote\n attackers to inject arbitrary web script or HTML.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"affected\", value:\"Elasticsearch version 1.3.x and prior\n on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Elasticsearch version 1.4.0.Beta1,\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.elastic.co/community/security/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/533602/100/0/threaded\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_elastsearch_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"elasticsearch/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 9200);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!esPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!esVer = get_app_version(cpe:CPE, port:esPort)){\n exit(0);\n}\n\nesVer1 = eregmatch(pattern:\"([0-9.]+)\", string:esVer);\nesVer = esVer1[1];\n\n##version info taken from https://www.elastic.co/downloads/past-releases\nif(version_is_less(version:esVer, test_version:\"1.4.0\"))\n{\n report = report_fixed_ver(installed_version:esVer, fixed_version:\"1.4.0.Beta1\");\n security_message(data:report, port:esPort);\n exit(0);\n}\n\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-21T13:04:45", "bulletinFamily": "scanner", "description": "This host is running Elasticsearch\n and is prone to Cross-site Scripting (XSS) vulnerability.", "modified": "2018-11-20T00:00:00", "published": "2016-06-23T00:00:00", "id": "OPENVAS:1361412562310808092", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808092", "title": "Elasticsearch Cross-site Scripting (XSS) Vulnerability (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_elasticsearch_xss_vuln_win.nasl 12431 2018-11-20 09:21:00Z asteins $\n#\n# Elasticsearch Cross-site Scripting (XSS) Vulnerability (Windows)\n#\n# Authors:\n# Tushar Khelge <ktushar@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:elasticsearch:elasticsearch\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808092\");\n script_version(\"$Revision: 12431 $\");\n script_cve_id(\"CVE-2014-6439\");\n script_bugtraq_id(70233);\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-20 10:21:00 +0100 (Tue, 20 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-23 12:32:03 +0530 (Thu, 23 Jun 2016)\");\n script_name(\"Elasticsearch Cross-site Scripting (XSS) Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is running Elasticsearch\n and is prone to Cross-site Scripting (XSS) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Flaw is due to an error in the\n CORS functionality.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allows remote\n attackers to inject arbitrary web script or HTML.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"affected\", value:\"Elasticsearch version 1.3.x and prior\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Elasticsearch version 1.4.0.Beta1,\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.elastic.co/community/security/\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/archive/1/533602/100/0/threaded\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_elastsearch_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"elasticsearch/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 9200);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!esPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!esVer = get_app_version(cpe:CPE, port:esPort)){\n exit(0);\n}\n\nesVer1 = eregmatch(pattern:\"([0-9.]+)\", string:esVer);\nesVer = esVer1[1];\n\n##version info taken from https://www.elastic.co/downloads/past-releases\nif(version_is_less(version:esVer, test_version:\"1.4.0\"))\n{\n report = report_fixed_ver(installed_version:esVer, fixed_version:\"1.4.0.Beta1\");\n security_message(data:report, port:esPort);\n exit(0);\n}\n\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:39", "bulletinFamily": "unix", "description": "\nElastic reports:\n\nVulnerability Summary: Elasticsearch versions 1.3.x and prior have\n\t a default configuration for CORS that allows an attacker to craft\n\t links that could cause a user's browser to send requests to\n\t Elasticsearch instances on their local network. These requests could\n\t cause data loss or compromise.\nRemediation Summary: Users should either set \"http.cors.enabled\" to\n\t false, or set \"http.cors.allow-origin\" to the value of the server\n\t that should be allowed access, such as localhost or a server hosting\n\t Kibana. Disabling CORS entirely with the former setting is more\n\t secure, but may not be suitable for all use cases.\n\n", "modified": "2014-10-01T00:00:00", "published": "2014-10-01T00:00:00", "id": "5951FB49-1BA2-11E5-B43D-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/5951fb49-1ba2-11e5-b43d-002590263bf5.html", "title": "elasticsearch -- cross site scripting vulnerability in the CORS functionality", "type": "freebsd", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:24:25", "bulletinFamily": "scanner", "description": "Elastic reports :\n\nVulnerability Summary: Elasticsearch versions 1.3.x and prior have a default configuration for CORS that allows an attacker to craft links that could cause a user's browser to send requests to Elasticsearch instances on their local network. These requests could cause data loss or compromise.\n\nRemediation Summary: Users should either set 'http.cors.enabled' to false, or set 'http.cors.allow-origin' to the value of the server that should be allowed access, such as localhost or a server hosting Kibana. Disabling CORS entirely with the former setting is more secure, but may not be suitable for all use cases.", "modified": "2018-12-05T00:00:00", "id": "FREEBSD_PKG_5951FB491BA211E5B43D002590263BF5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=84412", "published": "2015-06-26T00:00:00", "title": "FreeBSD : elasticsearch -- XSS vulnerability in the CORS functionality (5951fb49-1ba2-11e5-b43d-002590263bf5)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(84412);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2018/12/05 20:31:22\");\n\n script_cve_id(\"CVE-2014-6439\");\n script_bugtraq_id(70233);\n\n script_name(english:\"FreeBSD : elasticsearch -- XSS vulnerability in the CORS functionality (5951fb49-1ba2-11e5-b43d-002590263bf5)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Elastic reports :\n\nVulnerability Summary: Elasticsearch versions 1.3.x and prior have a\ndefault configuration for CORS that allows an attacker to craft links\nthat could cause a user's browser to send requests to Elasticsearch\ninstances on their local network. These requests could cause data loss\nor compromise.\n\nRemediation Summary: Users should either set 'http.cors.enabled' to\nfalse, or set 'http.cors.allow-origin' to the value of the server that\nshould be allowed access, such as localhost or a server hosting\nKibana. Disabling CORS entirely with the former setting is more\nsecure, but may not be suitable for all use cases.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/community/security\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.elastic.co/blog/elasticsearch-1-4-0-beta-released\"\n );\n # https://packetstormsecurity.com/files/128556/Elasticsearch-1.3.x-CORS-Issue.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?13037b05\"\n );\n # http://www.securityfocus.com/archive/1/archive/1/533602/100/0/threaded\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f8804aa\"\n );\n # https://vuxml.freebsd.org/freebsd/5951fb49-1ba2-11e5-b43d-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a3055169\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:elasticsearch\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/06/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/06/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"elasticsearch<1.4.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}]}